diff --git a/patch/kernel/cubox-dev/patch-3.14.60-61.patch b/patch/kernel/cubox-dev/patch-3.14.60-61.patch new file mode 100644 index 000000000..9b42d0806 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.60-61.patch @@ -0,0 +1,2765 @@ +diff --git a/Makefile b/Makefile +index 502255cebc9a..fbf4ec689957 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 60 ++SUBLEVEL = 61 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/parisc/include/uapi/asm/mman.h b/arch/parisc/include/uapi/asm/mman.h +index 294d251ca7b2..2ae13ce592e8 100644 +--- a/arch/parisc/include/uapi/asm/mman.h ++++ b/arch/parisc/include/uapi/asm/mman.h +@@ -46,16 +46,6 @@ + #define MADV_DONTFORK 10 /* don't inherit across fork */ + #define MADV_DOFORK 11 /* do inherit across fork */ + +-/* The range 12-64 is reserved for page size specification. */ +-#define MADV_4K_PAGES 12 /* Use 4K pages */ +-#define MADV_16K_PAGES 14 /* Use 16K pages */ +-#define MADV_64K_PAGES 16 /* Use 64K pages */ +-#define MADV_256K_PAGES 18 /* Use 256K pages */ +-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */ +-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */ +-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */ +-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */ +- + #define MADV_MERGEABLE 65 /* KSM may merge identical pages */ + #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */ + +diff --git a/arch/parisc/include/uapi/asm/siginfo.h b/arch/parisc/include/uapi/asm/siginfo.h +index d7034728f377..1c75565d984b 100644 +--- a/arch/parisc/include/uapi/asm/siginfo.h ++++ b/arch/parisc/include/uapi/asm/siginfo.h +@@ -1,6 +1,10 @@ + #ifndef _PARISC_SIGINFO_H + #define _PARISC_SIGINFO_H + ++#if defined(__LP64__) ++#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int)) ++#endif ++ + #include + + #undef NSIGTRAP +diff --git a/arch/parisc/kernel/signal.c b/arch/parisc/kernel/signal.c +index 1cba8f29bb49..78bb6dd88e03 100644 +--- a/arch/parisc/kernel/signal.c ++++ b/arch/parisc/kernel/signal.c +@@ -442,6 +442,55 @@ handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka, + regs->gr[28]); + } + ++/* ++ * Check how the syscall number gets loaded into %r20 within ++ * the delay branch in userspace and adjust as needed. ++ */ ++ ++static void check_syscallno_in_delay_branch(struct pt_regs *regs) ++{ ++ u32 opcode, source_reg; ++ u32 __user *uaddr; ++ int err; ++ ++ /* Usually we don't have to restore %r20 (the system call number) ++ * because it gets loaded in the delay slot of the branch external ++ * instruction via the ldi instruction. ++ * In some cases a register-to-register copy instruction might have ++ * been used instead, in which case we need to copy the syscall ++ * number into the source register before returning to userspace. ++ */ ++ ++ /* A syscall is just a branch, so all we have to do is fiddle the ++ * return pointer so that the ble instruction gets executed again. ++ */ ++ regs->gr[31] -= 8; /* delayed branching */ ++ ++ /* Get assembler opcode of code in delay branch */ ++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); ++ err = get_user(opcode, uaddr); ++ if (err) ++ return; ++ ++ /* Check if delay branch uses "ldi int,%r20" */ ++ if ((opcode & 0xffff0000) == 0x34140000) ++ return; /* everything ok, just return */ ++ ++ /* Check if delay branch uses "nop" */ ++ if (opcode == INSN_NOP) ++ return; ++ ++ /* Check if delay branch uses "copy %rX,%r20" */ ++ if ((opcode & 0xffe0ffff) == 0x08000254) { ++ source_reg = (opcode >> 16) & 31; ++ regs->gr[source_reg] = regs->gr[20]; ++ return; ++ } ++ ++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", ++ current->comm, task_pid_nr(current), opcode); ++} ++ + static inline void + syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) + { +@@ -464,10 +513,7 @@ syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) + } + /* fallthrough */ + case -ERESTARTNOINTR: +- /* A syscall is just a branch, so all +- * we have to do is fiddle the return pointer. +- */ +- regs->gr[31] -= 8; /* delayed branching */ ++ check_syscallno_in_delay_branch(regs); + break; + } + } +@@ -516,15 +562,9 @@ insert_restart_trampoline(struct pt_regs *regs) + } + case -ERESTARTNOHAND: + case -ERESTARTSYS: +- case -ERESTARTNOINTR: { +- /* Hooray for delayed branching. We don't +- * have to restore %r20 (the system call +- * number) because it gets loaded in the delay +- * slot of the branch external instruction. +- */ +- regs->gr[31] -= 8; ++ case -ERESTARTNOINTR: ++ check_syscallno_in_delay_branch(regs); + return; +- } + default: + break; + } +diff --git a/arch/sh/include/uapi/asm/unistd_64.h b/arch/sh/include/uapi/asm/unistd_64.h +index e6820c86e8c7..47ebd5b5ed55 100644 +--- a/arch/sh/include/uapi/asm/unistd_64.h ++++ b/arch/sh/include/uapi/asm/unistd_64.h +@@ -278,7 +278,7 @@ + #define __NR_fsetxattr 256 + #define __NR_getxattr 257 + #define __NR_lgetxattr 258 +-#define __NR_fgetxattr 269 ++#define __NR_fgetxattr 259 + #define __NR_listxattr 260 + #define __NR_llistxattr 261 + #define __NR_flistxattr 262 +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 1de4beeb25f8..1971f3ccb09a 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -125,6 +125,23 @@ int af_alg_release(struct socket *sock) + } + EXPORT_SYMBOL_GPL(af_alg_release); + ++void af_alg_release_parent(struct sock *sk) ++{ ++ struct alg_sock *ask = alg_sk(sk); ++ bool last; ++ ++ sk = ask->parent; ++ ask = alg_sk(sk); ++ ++ lock_sock(sk); ++ last = !--ask->refcnt; ++ release_sock(sk); ++ ++ if (last) ++ sock_put(sk); ++} ++EXPORT_SYMBOL_GPL(af_alg_release_parent); ++ + static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { + struct sock *sk = sock->sk; +@@ -132,6 +149,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct sockaddr_alg *sa = (void *)uaddr; + const struct af_alg_type *type; + void *private; ++ int err; + + if (sock->state == SS_CONNECTED) + return -EINVAL; +@@ -157,16 +175,22 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + return PTR_ERR(private); + } + ++ err = -EBUSY; + lock_sock(sk); ++ if (ask->refcnt) ++ goto unlock; + + swap(ask->type, type); + swap(ask->private, private); + ++ err = 0; ++ ++unlock: + release_sock(sk); + + alg_do_release(type, private); + +- return 0; ++ return err; + } + + static int alg_setkey(struct sock *sk, char __user *ukey, +@@ -199,11 +223,15 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + const struct af_alg_type *type; +- int err = -ENOPROTOOPT; ++ int err = -EBUSY; + + lock_sock(sk); ++ if (ask->refcnt) ++ goto unlock; ++ + type = ask->type; + ++ err = -ENOPROTOOPT; + if (level != SOL_ALG || !type) + goto unlock; + +@@ -247,14 +275,13 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); +- if (err) { +- sk_free(sk2); ++ if (err) + goto unlock; +- } + + sk2->sk_family = PF_ALG; + +- sock_hold(sk); ++ if (!ask->refcnt++) ++ sock_hold(sk); + alg_sk(sk2)->parent = sk; + alg_sk(sk2)->type = type; + +diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c +index 850246206b12..c542c0d88afd 100644 +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -51,7 +51,8 @@ static int hash_sendmsg(struct kiocb *unused, struct socket *sock, + + lock_sock(sk); + if (!ctx->more) { +- err = crypto_ahash_init(&ctx->req); ++ err = af_alg_wait_for_completion(crypto_ahash_init(&ctx->req), ++ &ctx->completion); + if (err) + goto unlock; + } +@@ -131,6 +132,7 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page, + } else { + if (!ctx->more) { + err = crypto_ahash_init(&ctx->req); ++ err = af_alg_wait_for_completion(err, &ctx->completion); + if (err) + goto unlock; + } +@@ -192,9 +194,14 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) + struct sock *sk2; + struct alg_sock *ask2; + struct hash_ctx *ctx2; ++ bool more; + int err; + +- err = crypto_ahash_export(req, state); ++ lock_sock(sk); ++ more = ctx->more; ++ err = more ? crypto_ahash_export(req, state) : 0; ++ release_sock(sk); ++ + if (err) + return err; + +@@ -205,7 +212,10 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) + sk2 = newsock->sk; + ask2 = alg_sk(sk2); + ctx2 = ask2->private; +- ctx2->more = 1; ++ ctx2->more = more; ++ ++ if (!more) ++ return err; + + err = crypto_ahash_import(&ctx2->req, state); + if (err) { +diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c +index c7666f401381..a3dfc0d83107 100644 +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -477,6 +477,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + if (link->dump == NULL) + return -EINVAL; + ++ down_read(&crypto_alg_sem); + list_for_each_entry(alg, &crypto_alg_list, cra_list) + dump_alloc += CRYPTO_REPORT_MAXSIZE; + +@@ -486,8 +487,11 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + .done = link->done, + .min_dump_alloc = dump_alloc, + }; +- return netlink_dump_start(crypto_nlsk, skb, nlh, &c); ++ err = netlink_dump_start(crypto_nlsk, skb, nlh, &c); + } ++ up_read(&crypto_alg_sem); ++ ++ return err; + } + + err = nlmsg_parse(nlh, crypto_msg_min[type], attrs, CRYPTOCFGA_MAX, +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index cc5f102bebf3..111614b48f96 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -249,6 +249,26 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0x3b2b), board_ahci }, /* PCH RAID */ + { PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH RAID */ + { PCI_VDEVICE(INTEL, 0x3b2f), board_ahci }, /* PCH AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b0), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b1), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b2), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b3), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b4), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b5), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b6), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19b7), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19bE), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19bF), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c0), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c1), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c2), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c3), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c4), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c5), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c6), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19c7), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19cE), board_ahci }, /* DNV AHCI */ ++ { PCI_VDEVICE(INTEL, 0x19cF), board_ahci }, /* DNV AHCI */ + { PCI_VDEVICE(INTEL, 0x1c02), board_ahci }, /* CPT AHCI */ + { PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT AHCI */ + { PCI_VDEVICE(INTEL, 0x1c04), board_ahci }, /* CPT RAID */ +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index b65d79cd43d5..8b24a7bb573b 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -487,8 +487,8 @@ void ahci_save_initial_config(struct device *dev, + } + } + +- /* fabricate port_map from cap.nr_ports */ +- if (!port_map) { ++ /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ ++ if (!port_map && vers < 0x10300) { + port_map = (1 << ahci_nr_ports(cap)) - 1; + dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); + +@@ -1253,6 +1253,15 @@ static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp, + ata_tf_to_fis(tf, pmp, is_cmd, fis); + ahci_fill_cmd_slot(pp, 0, cmd_fis_len | flags | (pmp << 12)); + ++ /* set port value for softreset of Port Multiplier */ ++ if (pp->fbs_enabled && pp->fbs_last_dev != pmp) { ++ tmp = readl(port_mmio + PORT_FBS); ++ tmp &= ~(PORT_FBS_DEV_MASK | PORT_FBS_DEC); ++ tmp |= pmp << PORT_FBS_DEV_OFFSET; ++ writel(tmp, port_mmio + PORT_FBS); ++ pp->fbs_last_dev = pmp; ++ } ++ + /* issue & wait */ + writel(1, port_mmio + PORT_CMD_ISSUE); + +diff --git a/drivers/base/memory.c b/drivers/base/memory.c +index bece691cb5d9..3e2a3059b1f8 100644 +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -311,6 +311,10 @@ static int memory_subsys_offline(struct device *dev) + if (mem->state == MEM_OFFLINE) + return 0; + ++ /* Can't offline block with non-present sections */ ++ if (mem->section_count != sections_per_block) ++ return -EINVAL; ++ + return memory_block_change_state(mem, MEM_OFFLINE, MEM_ONLINE); + } + +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index 643bba7d6f81..9eab751efeea 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -490,7 +490,7 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, + } + ibmvtpm->rtce_size = be16_to_cpu(crq->len); + ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!ibmvtpm->rtce_buf) { + dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n"); + return; +diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c +index deabd2c8772d..ced6d61c1787 100644 +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -492,8 +492,6 @@ static void hid_ctrl(struct urb *urb) + struct usbhid_device *usbhid = hid->driver_data; + int unplug = 0, status = urb->status; + +- spin_lock(&usbhid->lock); +- + switch (status) { + case 0: /* success */ + if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN) +@@ -513,6 +511,8 @@ static void hid_ctrl(struct urb *urb) + hid_warn(urb->dev, "ctrl urb status %d received\n", status); + } + ++ spin_lock(&usbhid->lock); ++ + if (unplug) { + usbhid->ctrltail = usbhid->ctrlhead; + } else { +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c +index 422a9fdeb53e..6eb9dc9ef8f3 100644 +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1626,11 +1626,8 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd, + /* + * Only pass ioctls through if the device sizes match exactly. + */ +- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { +- int err = scsi_verify_blk_ioctl(NULL, cmd); +- if (err) +- r = err; +- } ++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) ++ r = scsi_verify_blk_ioctl(NULL, cmd); + + if (r == -ENOTCONN && !fatal_signal_pending(current)) + queue_work(kmultipathd, &m->process_queued_ios); +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index d6e47033b5e0..7ba85e2b146b 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -471,8 +471,10 @@ static int btree_split_sibling(struct shadow_spine *s, dm_block_t root, + + r = insert_at(sizeof(__le64), pn, parent_index + 1, + le64_to_cpu(rn->keys[0]), &location); +- if (r) ++ if (r) { ++ unlock_block(s->info, right); + return r; ++ } + + if (key < le64_to_cpu(rn->keys[0])) { + unlock_block(s->info, right); +diff --git a/drivers/media/pci/saa7134/saa7134-alsa.c b/drivers/media/pci/saa7134/saa7134-alsa.c +index dd67c8a400cc..6bac4a53da1d 100644 +--- a/drivers/media/pci/saa7134/saa7134-alsa.c ++++ b/drivers/media/pci/saa7134/saa7134-alsa.c +@@ -1145,6 +1145,8 @@ static int alsa_device_init(struct saa7134_dev *dev) + + static int alsa_device_exit(struct saa7134_dev *dev) + { ++ if (!snd_saa7134_cards[dev->nr]) ++ return 1; + + snd_card_free(snd_saa7134_cards[dev->nr]); + snd_saa7134_cards[dev->nr] = NULL; +@@ -1194,7 +1196,8 @@ static void saa7134_alsa_exit(void) + int idx; + + for (idx = 0; idx < SNDRV_CARDS; idx++) { +- snd_card_free(snd_saa7134_cards[idx]); ++ if (snd_saa7134_cards[idx]) ++ snd_card_free(snd_saa7134_cards[idx]); + } + + saa7134_dmasound_init = NULL; +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index fca336b65351..2bece37d0228 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -264,7 +264,7 @@ static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_ + + struct v4l2_standard32 { + __u32 index; +- __u32 id[2]; /* __u64 would get the alignment wrong */ ++ compat_u64 id; + __u8 name[24]; + struct v4l2_fract frameperiod; /* Frames, not fields */ + __u32 framelines; +@@ -284,7 +284,7 @@ static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 + { + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || + put_user(kp->index, &up->index) || +- copy_to_user(up->id, &kp->id, sizeof(__u64)) || ++ put_user(kp->id, &up->id) || + copy_to_user(up->name, kp->name, 24) || + copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || + put_user(kp->framelines, &up->framelines) || +@@ -576,10 +576,10 @@ struct v4l2_input32 { + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ + __u32 tuner; /* Associated tuner */ +- v4l2_std_id std; ++ compat_u64 std; + __u32 status; + __u32 reserved[4]; +-} __attribute__ ((packed)); ++}; + + /* The 64-bit v4l2_input struct has extra padding at the end of the struct. + Otherwise it is identical to the 32-bit version. */ +@@ -719,6 +719,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext + struct v4l2_event32 { + __u32 type; + union { ++ compat_s64 value64; + __u8 data[64]; + } u; + __u32 pending; +diff --git a/drivers/media/v4l2-core/videobuf2-dma-contig.c b/drivers/media/v4l2-core/videobuf2-dma-contig.c +index 33d3871d1e13..63aeac93a95e 100644 +--- a/drivers/media/v4l2-core/videobuf2-dma-contig.c ++++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c +@@ -117,7 +117,8 @@ static void vb2_dc_prepare(void *buf_priv) + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, ++ buf->dma_dir); + } + + static void vb2_dc_finish(void *buf_priv) +@@ -129,7 +130,7 @@ static void vb2_dc_finish(void *buf_priv) + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); + } + + /*********************************************/ +diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c +index 3c7d6d7623c1..e638993ac626 100644 +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -635,8 +635,10 @@ int add_mtd_partitions(struct mtd_info *master, + + for (i = 0; i < nbparts; i++) { + slave = allocate_partition(master, parts + i, i, cur_offset); +- if (IS_ERR(slave)) ++ if (IS_ERR(slave)) { ++ del_mtd_partitions(master); + return PTR_ERR(slave); ++ } + + mutex_lock(&mtd_partitions_mutex); + list_add(&slave->list, &mtd_partitions); +diff --git a/drivers/net/wireless/ti/wlcore/io.h b/drivers/net/wireless/ti/wlcore/io.h +index 07e3d6a049ad..e11c1adf2aad 100644 +--- a/drivers/net/wireless/ti/wlcore/io.h ++++ b/drivers/net/wireless/ti/wlcore/io.h +@@ -203,19 +203,23 @@ static inline int __must_check wlcore_write_reg(struct wl1271 *wl, int reg, + + static inline void wl1271_power_off(struct wl1271 *wl) + { +- int ret; ++ int ret = 0; + + if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags)) + return; + +- ret = wl->if_ops->power(wl->dev, false); ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, false); + if (!ret) + clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + } + + static inline int wl1271_power_on(struct wl1271 *wl) + { +- int ret = wl->if_ops->power(wl->dev, true); ++ int ret = 0; ++ ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, true); + if (ret == 0) + set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + +diff --git a/drivers/net/wireless/ti/wlcore/spi.c b/drivers/net/wireless/ti/wlcore/spi.c +index b2c018dccf18..c675163b0d40 100644 +--- a/drivers/net/wireless/ti/wlcore/spi.c ++++ b/drivers/net/wireless/ti/wlcore/spi.c +@@ -72,7 +72,10 @@ + */ + #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE) + +-#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) ++/* Maximum number of SPI write chunks */ ++#define WSPI_MAX_NUM_OF_CHUNKS \ ++ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1) ++ + + struct wl12xx_spi_glue { + struct device *dev; +@@ -270,9 +273,10 @@ static int __must_check wl12xx_spi_raw_write(struct device *child, int addr, + void *buf, size_t len, bool fixed) + { + struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent); +- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)]; ++ /* SPI write buffers - 2 for each chunk */ ++ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS]; + struct spi_message m; +- u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; ++ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */ + u32 *cmd; + u32 chunk_len; + int i; +diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c +index 38901665c770..f16c43dd6d04 100644 +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -147,6 +147,8 @@ static int pci_bus_alloc_from_region(struct pci_bus *bus, struct resource *res, + type_mask |= IORESOURCE_IO | IORESOURCE_MEM; + + pci_bus_for_each_resource(bus, r, i) { ++ resource_size_t min_used = min; ++ + if (!r) + continue; + +@@ -170,12 +172,12 @@ static int pci_bus_alloc_from_region(struct pci_bus *bus, struct resource *res, + * overrides "min". + */ + if (avail.start) +- min = avail.start; ++ min_used = avail.start; + + max = avail.end; + + /* Ok, try it out.. */ +- ret = allocate_resource(r, res, size, min, max, ++ ret = allocate_resource(r, res, size, min_used, max, + align, alignf, alignf_data); + if (ret == 0) + return 0; +diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c +index 9d30809bb407..916af5096f57 100644 +--- a/drivers/remoteproc/remoteproc_debugfs.c ++++ b/drivers/remoteproc/remoteproc_debugfs.c +@@ -156,7 +156,7 @@ rproc_recovery_write(struct file *filp, const char __user *user_buf, + char buf[10]; + int ret; + +- if (count > sizeof(buf)) ++ if (count < 1 || count > sizeof(buf)) + return count; + + ret = copy_from_user(buf, user_buf, count); +diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c +index 5f8c6d2f4df7..0e46e8d1d7bc 100644 +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -593,7 +593,8 @@ static int atmel_spi_next_xfer_dma_submit(struct spi_master *master, + + *plen = len; + +- if (atmel_spi_dma_slave_config(as, &slave_config, 8)) ++ if (atmel_spi_dma_slave_config(as, &slave_config, ++ xfer->bits_per_word)) + goto err_exit; + + /* Send both scatterlists */ +diff --git a/drivers/spi/spi-ti-qspi.c b/drivers/spi/spi-ti-qspi.c +index 3d09265b5133..1454a0c42aac 100644 +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -364,11 +364,10 @@ static int ti_qspi_start_transfer_one(struct spi_master *master, + + mutex_unlock(&qspi->list_lock); + ++ ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG); + m->status = status; + spi_finalize_current_message(master); + +- ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG); +- + return status; + } + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index d88492152be1..72ed3d147687 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1268,7 +1268,7 @@ struct spi_master *spi_alloc_master(struct device *dev, unsigned size) + master->bus_num = -1; + master->num_chipselect = 1; + master->dev.class = &spi_master_class; +- master->dev.parent = get_device(dev); ++ master->dev.parent = dev; + spi_master_set_devdata(master, &master[1]); + + return master; +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 143deb62467d..12446e9a4435 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -411,7 +411,7 @@ receive_buf(struct tty_struct *tty, struct tty_buffer *head, int count) + count = disc->ops->receive_buf2(tty, p, f, count); + else { + count = min_t(int, count, tty->receive_room); +- if (count) ++ if (count && disc->ops->receive_buf) + disc->ops->receive_buf(tty, p, f, count); + } + head->read += count; +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 39988fa91294..b17df1000250 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2581,6 +2581,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) + } + + /** ++ * tiocgetd - get line discipline ++ * @tty: tty device ++ * @p: pointer to user data ++ * ++ * Retrieves the line discipline id directly from the ldisc. ++ * ++ * Locking: waits for ldisc reference (in case the line discipline ++ * is changing or the tty is being hungup) ++ */ ++ ++static int tiocgetd(struct tty_struct *tty, int __user *p) ++{ ++ struct tty_ldisc *ld; ++ int ret; ++ ++ ld = tty_ldisc_ref_wait(tty); ++ ret = put_user(ld->ops->num, p); ++ tty_ldisc_deref(ld); ++ return ret; ++} ++ ++/** + * send_break - performed time break + * @tty: device to break on + * @duration: timeout in mS +@@ -2794,7 +2816,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + case TIOCGSID: + return tiocgsid(tty, real_tty, p); + case TIOCGETD: +- return put_user(tty->ldisc->ops->num, (int __user *)p); ++ return tiocgetd(tty, p); + case TIOCSETD: + return tiocsetd(tty, p); + case TIOCVHANGUP: +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index fa114bcedabf..648e7eccdde9 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5225,7 +5225,6 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + usb_set_usb2_hardware_lpm(udev, 0); + + bos = udev->bos; +- udev->bos = NULL; + + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency +@@ -5334,8 +5333,11 @@ done: + usb_set_usb2_hardware_lpm(udev, 1); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); +- usb_release_bos_descriptor(udev); +- udev->bos = bos; ++ /* release the new BOS descriptor allocated by hub_port_init() */ ++ if (udev->bos != bos) { ++ usb_release_bos_descriptor(udev); ++ udev->bos = bos; ++ } + return 0; + + re_enumerate: +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 5c957658a04a..7f01f165e77b 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -612,8 +612,30 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd, + if ((raw_port_status & PORT_RESET) || + !(raw_port_status & PORT_PE)) + return 0xffffffff; +- if (time_after_eq(jiffies, +- bus_state->resume_done[wIndex])) { ++ /* did port event handler already start resume timing? */ ++ if (!bus_state->resume_done[wIndex]) { ++ /* If not, maybe we are in a host initated resume? */ ++ if (test_bit(wIndex, &bus_state->resuming_ports)) { ++ /* Host initated resume doesn't time the resume ++ * signalling using resume_done[]. ++ * It manually sets RESUME state, sleeps 20ms ++ * and sets U0 state. This should probably be ++ * changed, but not right now. ++ */ ++ } else { ++ /* port resume was discovered now and here, ++ * start resume timing ++ */ ++ unsigned long timeout = jiffies + ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); ++ ++ set_bit(wIndex, &bus_state->resuming_ports); ++ bus_state->resume_done[wIndex] = timeout; ++ mod_timer(&hcd->rh_timer, timeout); ++ } ++ /* Has resume been signalled for USB_RESUME_TIME yet? */ ++ } else if (time_after_eq(jiffies, ++ bus_state->resume_done[wIndex])) { + int time_left; + + xhci_dbg(xhci, "Resume USB2 port %d\n", +@@ -654,13 +676,24 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd, + } else { + /* + * The resume has been signaling for less than +- * 20ms. Report the port status as SUSPEND, +- * let the usbcore check port status again +- * and clear resume signaling later. ++ * USB_RESUME_TIME. Report the port status as SUSPEND, ++ * let the usbcore check port status again and clear ++ * resume signaling later. + */ + status |= USB_PORT_STAT_SUSPEND; + } + } ++ /* ++ * Clear stale usb2 resume signalling variables in case port changed ++ * state during resume signalling. For example on error ++ */ ++ if ((bus_state->resume_done[wIndex] || ++ test_bit(wIndex, &bus_state->resuming_ports)) && ++ (raw_port_status & PORT_PLS_MASK) != XDEV_U3 && ++ (raw_port_status & PORT_PLS_MASK) != XDEV_RESUME) { ++ bus_state->resume_done[wIndex] = 0; ++ clear_bit(wIndex, &bus_state->resuming_ports); ++ } + if ((raw_port_status & PORT_PLS_MASK) == XDEV_U0 + && (raw_port_status & PORT_POWER) + && (bus_state->suspended_ports & (1 << wIndex))) { +@@ -989,6 +1022,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + if ((temp & PORT_PE) == 0) + goto error; + ++ set_bit(wIndex, &bus_state->resuming_ports); + xhci_set_link_state(xhci, port_array, wIndex, + XDEV_RESUME); + spin_unlock_irqrestore(&xhci->lock, flags); +@@ -996,6 +1030,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + spin_lock_irqsave(&xhci->lock, flags); + xhci_set_link_state(xhci, port_array, wIndex, + XDEV_U0); ++ clear_bit(wIndex, &bus_state->resuming_ports); + } + bus_state->port_c_suspend |= 1 << wIndex; + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index bd993fe00e0c..3bfe81c6229a 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1768,7 +1768,8 @@ static void handle_port_status(struct xhci_hcd *xhci, + */ + bogus_port_status = true; + goto cleanup; +- } else { ++ } else if (!test_bit(faked_port_index, ++ &bus_state->resuming_ports)) { + xhci_dbg(xhci, "resume HS port %d\n", port_id); + bus_state->resume_done[faked_port_index] = jiffies + + msecs_to_jiffies(USB_RESUME_TIMEOUT); +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index c8e693c22014..27688e3b0a4c 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4866,6 +4866,9 @@ static int __init xhci_hcd_init(void) + { + int retval; + ++ if (usb_disabled()) ++ return -ENODEV; ++ + retval = xhci_register_pci(); + if (retval < 0) { + pr_debug("Problem registering PCI driver.\n"); +@@ -4894,9 +4897,6 @@ static int __init xhci_hcd_init(void) + /* xhci_run_regs has eight fields and embeds 128 xhci_intr_regs */ + BUILD_BUG_ON(sizeof(struct xhci_run_regs) != (8+8*128)*32/8); + +- if (usb_disabled()) +- return -ENODEV; +- + return 0; + unreg_pci: + xhci_unregister_pci(); +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index b4fc4091e3f8..02e6fe228a63 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -98,6 +98,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x81AC) }, /* MSD Dash Hawk */ + { USB_DEVICE(0x10C4, 0x81AD) }, /* INSYS USB Modem */ + { USB_DEVICE(0x10C4, 0x81C8) }, /* Lipowsky Industrie Elektronik GmbH, Baby-JTAG */ ++ { USB_DEVICE(0x10C4, 0x81D7) }, /* IAI Corp. RCB-CV-USB USB to RS485 Adaptor */ + { USB_DEVICE(0x10C4, 0x81E2) }, /* Lipowsky Industrie Elektronik GmbH, Baby-LIN */ + { USB_DEVICE(0x10C4, 0x81E7) }, /* Aerocomm Radio */ + { USB_DEVICE(0x10C4, 0x81E8) }, /* Zephyr Bioharness */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 7fb81dbbdc8d..b5d8e2544b8f 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -837,6 +837,7 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, ++ { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) }, + { USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) }, + + /* Papouch devices based on FTDI chip */ +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 2943b97b2a83..7850071c0ae1 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -615,6 +615,7 @@ + */ + #define RATOC_VENDOR_ID 0x0584 + #define RATOC_PRODUCT_ID_USB60F 0xb020 ++#define RATOC_PRODUCT_ID_SCU18 0xb03a + + /* + * Infineon Technologies +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index bdbe642e6569..81f6a572f016 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -269,6 +269,8 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_CC864_SINGLE 0x1006 + #define TELIT_PRODUCT_DE910_DUAL 0x1010 + #define TELIT_PRODUCT_UE910_V2 0x1012 ++#define TELIT_PRODUCT_LE922_USBCFG0 0x1042 ++#define TELIT_PRODUCT_LE922_USBCFG3 0x1043 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + +@@ -623,6 +625,16 @@ static const struct option_blacklist_info telit_le920_blacklist = { + .reserved = BIT(1) | BIT(5), + }; + ++static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = { ++ .sendsetup = BIT(2), ++ .reserved = BIT(0) | BIT(1) | BIT(3), ++}; ++ ++static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(1) | BIT(2) | BIT(3), ++}; ++ + static const struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, +@@ -1168,6 +1180,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), +@@ -1679,7 +1695,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, +- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX) }, ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c +index 60afb39eb73c..337a0be89fcf 100644 +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -544,6 +544,11 @@ static int treo_attach(struct usb_serial *serial) + (serial->num_interrupt_in == 0)) + return 0; + ++ if (serial->num_bulk_in < 2 || serial->num_interrupt_in < 2) { ++ dev_err(&serial->interface->dev, "missing endpoints\n"); ++ return -ENODEV; ++ } ++ + /* + * It appears that Treos and Kyoceras want to use the + * 1st bulk in endpoint to communicate with the 2nd bulk out endpoint, +@@ -597,8 +602,10 @@ static int clie_5_attach(struct usb_serial *serial) + */ + + /* some sanity check */ +- if (serial->num_ports < 2) +- return -1; ++ if (serial->num_bulk_out < 2) { ++ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); ++ return -ENODEV; ++ } + + /* port 0 now uses the modified endpoint Address */ + port = serial->port[0]; +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 35240a704413..6eb8df76e17c 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -679,16 +679,16 @@ static int load_elf_binary(struct linux_binprm *bprm) + */ + would_dump(bprm, interpreter); + +- retval = kernel_read(interpreter, 0, bprm->buf, +- BINPRM_BUF_SIZE); +- if (retval != BINPRM_BUF_SIZE) { ++ /* Get the exec headers */ ++ retval = kernel_read(interpreter, 0, ++ (void *)&loc->interp_elf_ex, ++ sizeof(loc->interp_elf_ex)); ++ if (retval != sizeof(loc->interp_elf_ex)) { + if (retval >= 0) + retval = -EIO; + goto out_free_dentry; + } + +- /* Get the exec headers */ +- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); + break; + } + elf_ppnt++; +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 2a6830a7af33..96fe2c175a73 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -724,19 +725,55 @@ struct move_extent { + <= (EXT4_GOOD_OLD_INODE_SIZE + \ + (einode)->i_extra_isize)) \ + ++/* ++ * We use an encoding that preserves the times for extra epoch "00": ++ * ++ * extra msb of adjust for signed ++ * epoch 32-bit 32-bit tv_sec to ++ * bits time decoded 64-bit tv_sec 64-bit tv_sec valid time range ++ * 0 0 1 -0x80000000..-0x00000001 0x000000000 1901-12-13..1969-12-31 ++ * 0 0 0 0x000000000..0x07fffffff 0x000000000 1970-01-01..2038-01-19 ++ * 0 1 1 0x080000000..0x0ffffffff 0x100000000 2038-01-19..2106-02-07 ++ * 0 1 0 0x100000000..0x17fffffff 0x100000000 2106-02-07..2174-02-25 ++ * 1 0 1 0x180000000..0x1ffffffff 0x200000000 2174-02-25..2242-03-16 ++ * 1 0 0 0x200000000..0x27fffffff 0x200000000 2242-03-16..2310-04-04 ++ * 1 1 1 0x280000000..0x2ffffffff 0x300000000 2310-04-04..2378-04-22 ++ * 1 1 0 0x300000000..0x37fffffff 0x300000000 2378-04-22..2446-05-10 ++ * ++ * Note that previous versions of the kernel on 64-bit systems would ++ * incorrectly use extra epoch bits 1,1 for dates between 1901 and ++ * 1970. e2fsck will correct this, assuming that it is run on the ++ * affected filesystem before 2242. ++ */ ++ + static inline __le32 ext4_encode_extra_time(struct timespec *time) + { +- return cpu_to_le32((sizeof(time->tv_sec) > 4 ? +- (time->tv_sec >> 32) & EXT4_EPOCH_MASK : 0) | +- ((time->tv_nsec << EXT4_EPOCH_BITS) & EXT4_NSEC_MASK)); ++ u32 extra = sizeof(time->tv_sec) > 4 ? ++ ((time->tv_sec - (s32)time->tv_sec) >> 32) & EXT4_EPOCH_MASK : 0; ++ return cpu_to_le32(extra | (time->tv_nsec << EXT4_EPOCH_BITS)); + } + + static inline void ext4_decode_extra_time(struct timespec *time, __le32 extra) + { +- if (sizeof(time->tv_sec) > 4) +- time->tv_sec |= (__u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) +- << 32; +- time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; ++ if (unlikely(sizeof(time->tv_sec) > 4 && ++ (extra & cpu_to_le32(EXT4_EPOCH_MASK)))) { ++#if LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0) ++ /* Handle legacy encoding of pre-1970 dates with epoch ++ * bits 1,1. We assume that by kernel version 4.20, ++ * everyone will have run fsck over the affected ++ * filesystems to correct the problem. (This ++ * backwards compatibility may be removed before this ++ * time, at the discretion of the ext4 developers.) ++ */ ++ u64 extra_bits = le32_to_cpu(extra) & EXT4_EPOCH_MASK; ++ if (extra_bits == 3 && ((time->tv_sec) & 0x80000000) != 0) ++ extra_bits = 0; ++ time->tv_sec += extra_bits << 32; ++#else ++ time->tv_sec += (u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) << 32; ++#endif ++ } ++ time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; + } + + #define EXT4_INODE_SET_XTIME(xtime, inode, raw_inode) \ +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 2400ad1c3d12..831cb305c63f 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1030,7 +1030,7 @@ exit_free: + * do not copy the full number of backups at this time. The resize + * which changed s_groups_count will backup again. + */ +-static void update_backups(struct super_block *sb, int blk_off, char *data, ++static void update_backups(struct super_block *sb, sector_t blk_off, char *data, + int size, int meta_bg) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); +@@ -1055,7 +1055,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data, + group = ext4_list_backups(sb, &three, &five, &seven); + last = sbi->s_groups_count; + } else { +- group = ext4_meta_bg_first_group(sb, group) + 1; ++ group = ext4_get_group_number(sb, blk_off) + 1; + last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2); + } + +diff --git a/fs/fat/dir.c b/fs/fat/dir.c +index 3963ede84eb0..75bf5e717ed8 100644 +--- a/fs/fat/dir.c ++++ b/fs/fat/dir.c +@@ -614,9 +614,9 @@ parse_record: + int status = fat_parse_long(inode, &cpos, &bh, &de, + &unicode, &nr_slots); + if (status < 0) { +- ctx->pos = cpos; ++ bh = NULL; + ret = status; +- goto out; ++ goto end_of_dir; + } else if (status == PARSE_INVALID) + goto record_end; + else if (status == PARSE_NOT_LONGNAME) +@@ -658,8 +658,9 @@ parse_record: + fill_len = short_len; + + start_filldir: +- if (!fake_offset) +- ctx->pos = cpos - (nr_slots + 1) * sizeof(struct msdos_dir_entry); ++ ctx->pos = cpos - (nr_slots + 1) * sizeof(struct msdos_dir_entry); ++ if (fake_offset && ctx->pos < 2) ++ ctx->pos = 2; + + if (!memcmp(de->name, MSDOS_DOT, MSDOS_NAME)) { + if (!dir_emit_dot(file, ctx)) +@@ -685,14 +686,19 @@ record_end: + fake_offset = 0; + ctx->pos = cpos; + goto get_new; ++ + end_of_dir: +- ctx->pos = cpos; ++ if (fake_offset && cpos < 2) ++ ctx->pos = 2; ++ else ++ ctx->pos = cpos; + fill_failed: + brelse(bh); + if (unicode) + __putname(unicode); + out: + mutex_unlock(&sbi->s_lock); ++ + return ret; + } + +diff --git a/fs/fscache/netfs.c b/fs/fscache/netfs.c +index 989f39401547..96e48c67271b 100644 +--- a/fs/fscache/netfs.c ++++ b/fs/fscache/netfs.c +@@ -22,6 +22,7 @@ static LIST_HEAD(fscache_netfs_list); + int __fscache_register_netfs(struct fscache_netfs *netfs) + { + struct fscache_netfs *ptr; ++ struct fscache_cookie *cookie; + int ret; + + _enter("{%s}", netfs->name); +@@ -29,29 +30,25 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) + INIT_LIST_HEAD(&netfs->link); + + /* allocate a cookie for the primary index */ +- netfs->primary_index = +- kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL); ++ cookie = kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL); + +- if (!netfs->primary_index) { ++ if (!cookie) { + _leave(" = -ENOMEM"); + return -ENOMEM; + } + + /* initialise the primary index cookie */ +- atomic_set(&netfs->primary_index->usage, 1); +- atomic_set(&netfs->primary_index->n_children, 0); +- atomic_set(&netfs->primary_index->n_active, 1); ++ atomic_set(&cookie->usage, 1); ++ atomic_set(&cookie->n_children, 0); ++ atomic_set(&cookie->n_active, 1); + +- netfs->primary_index->def = &fscache_fsdef_netfs_def; +- netfs->primary_index->parent = &fscache_fsdef_index; +- netfs->primary_index->netfs_data = netfs; +- netfs->primary_index->flags = 1 << FSCACHE_COOKIE_ENABLED; ++ cookie->def = &fscache_fsdef_netfs_def; ++ cookie->parent = &fscache_fsdef_index; ++ cookie->netfs_data = netfs; ++ cookie->flags = 1 << FSCACHE_COOKIE_ENABLED; + +- atomic_inc(&netfs->primary_index->parent->usage); +- atomic_inc(&netfs->primary_index->parent->n_children); +- +- spin_lock_init(&netfs->primary_index->lock); +- INIT_HLIST_HEAD(&netfs->primary_index->backing_objects); ++ spin_lock_init(&cookie->lock); ++ INIT_HLIST_HEAD(&cookie->backing_objects); + + /* check the netfs type is not already present */ + down_write(&fscache_addremove_sem); +@@ -62,6 +59,10 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) + goto already_registered; + } + ++ atomic_inc(&cookie->parent->usage); ++ atomic_inc(&cookie->parent->n_children); ++ ++ netfs->primary_index = cookie; + list_add(&netfs->link, &fscache_netfs_list); + ret = 0; + +@@ -71,11 +72,8 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) + already_registered: + up_write(&fscache_addremove_sem); + +- if (ret < 0) { +- netfs->primary_index->parent = NULL; +- __fscache_cookie_put(netfs->primary_index); +- netfs->primary_index = NULL; +- } ++ if (ret < 0) ++ kmem_cache_free(fscache_cookie_jar, cookie); + + _leave(" = %d", ret); + return ret; +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index ecc57071a1a9..a8c65539fbd2 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -2066,6 +2066,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, + + if (!buffer_dirty(bh)) { + /* bdflush has written it. We can drop it now */ ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + +@@ -2095,6 +2096,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, + /* The orphan record's transaction has + * committed. We can cleanse this buffer */ + clear_buffer_jbddirty(bh); ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + } +diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c +index 1dd0bcc75536..96cbbe9e7030 100644 +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -2459,6 +2459,11 @@ static int dlm_migrate_lockres(struct dlm_ctxt *dlm, + spin_lock(&dlm->master_lock); + ret = dlm_add_migration_mle(dlm, res, mle, &oldmle, name, + namelen, target, dlm->node_num); ++ /* get an extra reference on the mle. ++ * otherwise the assert_master from the new ++ * master will destroy this. ++ */ ++ dlm_get_mle_inuse(mle); + spin_unlock(&dlm->master_lock); + spin_unlock(&dlm->spinlock); + +@@ -2494,6 +2499,7 @@ fail: + if (mle_added) { + dlm_mle_detach_hb_events(dlm, mle); + dlm_put_mle(mle); ++ dlm_put_mle_inuse(mle); + } else if (mle) { + kmem_cache_free(dlm_mle_cache, mle); + mle = NULL; +@@ -2511,17 +2517,6 @@ fail: + * ensure that all assert_master work is flushed. */ + flush_workqueue(dlm->dlm_worker); + +- /* get an extra reference on the mle. +- * otherwise the assert_master from the new +- * master will destroy this. +- * also, make sure that all callers of dlm_get_mle +- * take both dlm->spinlock and dlm->master_lock */ +- spin_lock(&dlm->spinlock); +- spin_lock(&dlm->master_lock); +- dlm_get_mle_inuse(mle); +- spin_unlock(&dlm->master_lock); +- spin_unlock(&dlm->spinlock); +- + /* notify new node and send all lock state */ + /* call send_one_lockres with migration flag. + * this serves as notice to the target node that a +@@ -3246,6 +3241,15 @@ top: + mle->new_master != dead_node) + continue; + ++ if (mle->new_master == dead_node && mle->inuse) { ++ mlog(ML_NOTICE, "%s: target %u died during " ++ "migration from %u, the MLE is " ++ "still keep used, ignore it!\n", ++ dlm->name, dead_node, ++ mle->master); ++ continue; ++ } ++ + /* If we have reached this point, this mle needs to be + * removed from the list and freed. */ + dlm_clean_migration_mle(dlm, mle); +diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c +index fe29f7978f81..4b93d96d244f 100644 +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -2332,6 +2332,8 @@ static void dlm_do_local_recovery_cleanup(struct dlm_ctxt *dlm, u8 dead_node) + break; + } + } ++ dlm_lockres_clear_refmap_bit(dlm, res, ++ dead_node); + spin_unlock(&res->spinlock); + continue; + } +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index cc0aeb9e81a2..5e260e14cdd6 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -340,13 +340,11 @@ static int ocfs2_mknod(struct inode *dir, + goto leave; + } + +- status = posix_acl_create(dir, &mode, &default_acl, &acl); ++ status = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl); + if (status) { + mlog_errno(status); + goto leave; + } +- /* update inode->i_mode after mask with "umask". */ +- inode->i_mode = mode; + + handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb, + S_ISDIR(mode), +diff --git a/fs/proc/fd.c b/fs/proc/fd.c +index 985ea881b5bc..c06a1f97ac22 100644 +--- a/fs/proc/fd.c ++++ b/fs/proc/fd.c +@@ -283,11 +283,19 @@ static struct dentry *proc_lookupfd(struct inode *dir, struct dentry *dentry, + */ + int proc_fd_permission(struct inode *inode, int mask) + { +- int rv = generic_permission(inode, mask); ++ struct task_struct *p; ++ int rv; ++ ++ rv = generic_permission(inode, mask); + if (rv == 0) +- return 0; +- if (task_tgid(current) == proc_pid(inode)) ++ return rv; ++ ++ rcu_read_lock(); ++ p = pid_task(proc_pid(inode), PIDTYPE_PID); ++ if (p && same_thread_group(p, current)) + rv = 0; ++ rcu_read_unlock(); ++ + return rv; + } + +diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c +index c327d4ee1235..7b3792e5844a 100644 +--- a/fs/sysv/inode.c ++++ b/fs/sysv/inode.c +@@ -161,14 +161,8 @@ void sysv_set_inode(struct inode *inode, dev_t rdev) + inode->i_fop = &sysv_dir_operations; + inode->i_mapping->a_ops = &sysv_aops; + } else if (S_ISLNK(inode->i_mode)) { +- if (inode->i_blocks) { +- inode->i_op = &sysv_symlink_inode_operations; +- inode->i_mapping->a_ops = &sysv_aops; +- } else { +- inode->i_op = &sysv_fast_symlink_inode_operations; +- nd_terminate_link(SYSV_I(inode)->i_data, inode->i_size, +- sizeof(SYSV_I(inode)->i_data) - 1); +- } ++ inode->i_op = &sysv_symlink_inode_operations; ++ inode->i_mapping->a_ops = &sysv_aops; + } else + init_special_inode(inode, inode->i_mode, rdev); + } +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index d61c11170213..2f38daaab3d7 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -30,6 +30,8 @@ struct alg_sock { + + struct sock *parent; + ++ unsigned int refcnt; ++ + const struct af_alg_type *type; + void *private; + }; +@@ -64,6 +66,7 @@ int af_alg_register_type(const struct af_alg_type *type); + int af_alg_unregister_type(const struct af_alg_type *type); + + int af_alg_release(struct socket *sock); ++void af_alg_release_parent(struct sock *sk); + int af_alg_accept(struct sock *sk, struct socket *newsock); + + int af_alg_make_sg(struct af_alg_sgl *sgl, void __user *addr, int len, +@@ -80,11 +83,6 @@ static inline struct alg_sock *alg_sk(struct sock *sk) + return (struct alg_sock *)sk; + } + +-static inline void af_alg_release_parent(struct sock *sk) +-{ +- sock_put(alg_sk(sk)->parent); +-} +- + static inline void af_alg_init_completion(struct af_alg_completion *completion) + { + init_completion(&completion->completion); +diff --git a/include/linux/signal.h b/include/linux/signal.h +index 2ac423bdb676..53944e50e421 100644 +--- a/include/linux/signal.h ++++ b/include/linux/signal.h +@@ -247,7 +247,6 @@ extern int sigprocmask(int, sigset_t *, sigset_t *); + extern void set_current_blocked(sigset_t *); + extern void __set_current_blocked(const sigset_t *); + extern int show_unhandled_signals; +-extern int sigsuspend(sigset_t *); + + struct sigaction { + #ifndef __ARCH_HAS_IRIX_SIGACTION +diff --git a/kernel/signal.c b/kernel/signal.c +index 15c22ee11156..d8db156e5f5c 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -3550,7 +3550,7 @@ SYSCALL_DEFINE0(pause) + + #endif + +-int sigsuspend(sigset_t *set) ++static int sigsuspend(sigset_t *set) + { + current->saved_sigmask = current->blocked; + set_current_blocked(set); +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index 2900817ba65c..7c8cef653166 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -269,6 +269,7 @@ static const char **find_next(void *v, loff_t *pos) + if (*pos < last_index + start_index) + return __start___tracepoint_str + (*pos - last_index); + ++ start_index += last_index; + return find_next_mod_format(start_index, v, fmt, pos); + } + +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index 49b582a225b0..b9897e2be404 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -377,7 +377,7 @@ static void nop_mcount(Elf_Shdr const *const relhdr, + + if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { + if (make_nop) +- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset); ++ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset)); + if (warn_on_notrace_sect && !once) { + printf("Section %s has mcount callers being ignored\n", + txtname); +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 048550aacffc..596a2020fe2c 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include "evm.h" + + int evm_initialized; +@@ -133,7 +134,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, + xattr_value_len, calc.digest); + if (rc) + break; +- rc = memcmp(xattr_data->digest, calc.digest, ++ rc = crypto_memneq(xattr_data->digest, calc.digest, + sizeof(calc.digest)); + if (rc) + rc = -EINVAL; +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 7403f348ed14..91525fafe73b 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -44,6 +44,13 @@ + #include + #include + ++/* struct snd_compr_codec_caps overflows the ioctl bit size for some ++ * architectures, so we need to disable the relevant ioctls. ++ */ ++#if _IOC_SIZEBITS < 14 ++#define COMPR_CODEC_CAPS_OVERFLOW ++#endif ++ + /* TODO: + * - add substream support for multiple devices in case of + * SND_DYNAMIC_MINORS is not used +@@ -438,6 +445,7 @@ out: + return retval; + } + ++#ifndef COMPR_CODEC_CAPS_OVERFLOW + static int + snd_compr_get_codec_caps(struct snd_compr_stream *stream, unsigned long arg) + { +@@ -461,6 +469,7 @@ out: + kfree(caps); + return retval; + } ++#endif /* !COMPR_CODEC_CAPS_OVERFLOW */ + + /* revisit this with snd_pcm_preallocate_xxx */ + static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, +@@ -799,9 +808,11 @@ static long snd_compr_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + case _IOC_NR(SNDRV_COMPRESS_GET_CAPS): + retval = snd_compr_get_caps(stream, arg); + break; ++#ifndef COMPR_CODEC_CAPS_OVERFLOW + case _IOC_NR(SNDRV_COMPRESS_GET_CODEC_CAPS): + retval = snd_compr_get_codec_caps(stream, arg); + break; ++#endif + case _IOC_NR(SNDRV_COMPRESS_SET_PARAMS): + retval = snd_compr_set_params(stream, arg); + break; +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 4c1cc51772e6..7417f96cea6e 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -834,7 +834,8 @@ static int choose_rate(struct snd_pcm_substream *substream, + return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); + } + +-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream) ++static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, ++ bool trylock) + { + struct snd_pcm_runtime *runtime = substream->runtime; + struct snd_pcm_hw_params *params, *sparams; +@@ -848,7 +849,10 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream) + struct snd_mask sformat_mask; + struct snd_mask mask; + +- if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ if (trylock) { ++ if (!(mutex_trylock(&runtime->oss.params_lock))) ++ return -EAGAIN; ++ } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -EINTR; + sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); + params = kmalloc(sizeof(*params), GFP_KERNEL); +@@ -1091,7 +1095,7 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil + if (asubstream == NULL) + asubstream = substream; + if (substream->runtime->oss.params) { +- err = snd_pcm_oss_change_params(substream); ++ err = snd_pcm_oss_change_params(substream, false); + if (err < 0) + return err; + } +@@ -1130,7 +1134,7 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream) + return 0; + runtime = substream->runtime; + if (runtime->oss.params) { +- err = snd_pcm_oss_change_params(substream); ++ err = snd_pcm_oss_change_params(substream, false); + if (err < 0) + return err; + } +@@ -2168,7 +2172,7 @@ static int snd_pcm_oss_get_space(struct snd_pcm_oss_file *pcm_oss_file, int stre + runtime = substream->runtime; + + if (runtime->oss.params && +- (err = snd_pcm_oss_change_params(substream)) < 0) ++ (err = snd_pcm_oss_change_params(substream, false)) < 0) + return err; + + info.fragsize = runtime->oss.period_bytes; +@@ -2804,7 +2808,12 @@ static int snd_pcm_oss_mmap(struct file *file, struct vm_area_struct *area) + return -EIO; + + if (runtime->oss.params) { +- if ((err = snd_pcm_oss_change_params(substream)) < 0) ++ /* use mutex_trylock() for params_lock for avoiding a deadlock ++ * between mmap_sem and params_lock taken by ++ * copy_from/to_user() in snd_pcm_oss_write/read() ++ */ ++ err = snd_pcm_oss_change_params(substream, true); ++ if (err < 0) + return err; + } + #ifdef CONFIG_SND_PCM_OSS_PLUGINS +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c +index 7b596b5751db..500765f20843 100644 +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -934,31 +934,36 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream, + unsigned long flags; + long result = 0, count1; + struct snd_rawmidi_runtime *runtime = substream->runtime; ++ unsigned long appl_ptr; + ++ spin_lock_irqsave(&runtime->lock, flags); + while (count > 0 && runtime->avail) { + count1 = runtime->buffer_size - runtime->appl_ptr; + if (count1 > count) + count1 = count; +- spin_lock_irqsave(&runtime->lock, flags); + if (count1 > (int)runtime->avail) + count1 = runtime->avail; ++ ++ /* update runtime->appl_ptr before unlocking for userbuf */ ++ appl_ptr = runtime->appl_ptr; ++ runtime->appl_ptr += count1; ++ runtime->appl_ptr %= runtime->buffer_size; ++ runtime->avail -= count1; ++ + if (kernelbuf) +- memcpy(kernelbuf + result, runtime->buffer + runtime->appl_ptr, count1); ++ memcpy(kernelbuf + result, runtime->buffer + appl_ptr, count1); + if (userbuf) { + spin_unlock_irqrestore(&runtime->lock, flags); + if (copy_to_user(userbuf + result, +- runtime->buffer + runtime->appl_ptr, count1)) { ++ runtime->buffer + appl_ptr, count1)) { + return result > 0 ? result : -EFAULT; + } + spin_lock_irqsave(&runtime->lock, flags); + } +- runtime->appl_ptr += count1; +- runtime->appl_ptr %= runtime->buffer_size; +- runtime->avail -= count1; +- spin_unlock_irqrestore(&runtime->lock, flags); + result += count1; + count -= count1; + } ++ spin_unlock_irqrestore(&runtime->lock, flags); + return result; + } + +@@ -1161,8 +1166,9 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, + unsigned long flags; + long count1, result; + struct snd_rawmidi_runtime *runtime = substream->runtime; ++ unsigned long appl_ptr; + +- if (snd_BUG_ON(!kernelbuf && !userbuf)) ++ if (!kernelbuf && !userbuf) + return -EINVAL; + if (snd_BUG_ON(!runtime->buffer)) + return -EINVAL; +@@ -1181,12 +1187,19 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, + count1 = count; + if (count1 > (long)runtime->avail) + count1 = runtime->avail; ++ ++ /* update runtime->appl_ptr before unlocking for userbuf */ ++ appl_ptr = runtime->appl_ptr; ++ runtime->appl_ptr += count1; ++ runtime->appl_ptr %= runtime->buffer_size; ++ runtime->avail -= count1; ++ + if (kernelbuf) +- memcpy(runtime->buffer + runtime->appl_ptr, ++ memcpy(runtime->buffer + appl_ptr, + kernelbuf + result, count1); + else if (userbuf) { + spin_unlock_irqrestore(&runtime->lock, flags); +- if (copy_from_user(runtime->buffer + runtime->appl_ptr, ++ if (copy_from_user(runtime->buffer + appl_ptr, + userbuf + result, count1)) { + spin_lock_irqsave(&runtime->lock, flags); + result = result > 0 ? result : -EFAULT; +@@ -1194,9 +1207,6 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, + } + spin_lock_irqsave(&runtime->lock, flags); + } +- runtime->appl_ptr += count1; +- runtime->appl_ptr %= runtime->buffer_size; +- runtime->avail -= count1; + result += count1; + count -= count1; + } +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c +index c5b773a1eea9..4a09c3085ca4 100644 +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -310,7 +310,7 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp) + struct seq_oss_synth *rec; + struct seq_oss_synthinfo *info; + +- if (snd_BUG_ON(dp->max_synthdev >= SNDRV_SEQ_OSS_MAX_SYNTH_DEVS)) ++ if (snd_BUG_ON(dp->max_synthdev > SNDRV_SEQ_OSS_MAX_SYNTH_DEVS)) + return; + for (i = 0; i < dp->max_synthdev; i++) { + info = &dp->synths[i]; +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index ecfbf5f39d38..08865dcbf5f1 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -678,6 +678,9 @@ static int deliver_to_subscribers(struct snd_seq_client *client, + else + down_read(&grp->list_mutex); + list_for_each_entry(subs, &grp->list_head, src_list) { ++ /* both ports ready? */ ++ if (atomic_read(&subs->ref_count) != 2) ++ continue; + event->dest = subs->info.dest; + if (subs->info.flags & SNDRV_SEQ_PORT_SUBS_TIMESTAMP) + /* convert time according to flag with subscription */ +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index 9516e5ce3aad..67c91d226552 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -175,10 +175,6 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, + } + + /* */ +-enum group_type { +- SRC_LIST, DEST_LIST +-}; +- + static int subscribe_port(struct snd_seq_client *client, + struct snd_seq_client_port *port, + struct snd_seq_port_subs_info *grp, +@@ -205,6 +201,20 @@ static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr, + return NULL; + } + ++static void delete_and_unsubscribe_port(struct snd_seq_client *client, ++ struct snd_seq_client_port *port, ++ struct snd_seq_subscribers *subs, ++ bool is_src, bool ack); ++ ++static inline struct snd_seq_subscribers * ++get_subscriber(struct list_head *p, bool is_src) ++{ ++ if (is_src) ++ return list_entry(p, struct snd_seq_subscribers, src_list); ++ else ++ return list_entry(p, struct snd_seq_subscribers, dest_list); ++} ++ + /* + * remove all subscribers on the list + * this is called from port_delete, for each src and dest list. +@@ -212,7 +222,7 @@ static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr, + static void clear_subscriber_list(struct snd_seq_client *client, + struct snd_seq_client_port *port, + struct snd_seq_port_subs_info *grp, +- int grptype) ++ int is_src) + { + struct list_head *p, *n; + +@@ -221,15 +231,13 @@ static void clear_subscriber_list(struct snd_seq_client *client, + struct snd_seq_client *c; + struct snd_seq_client_port *aport; + +- if (grptype == SRC_LIST) { +- subs = list_entry(p, struct snd_seq_subscribers, src_list); ++ subs = get_subscriber(p, is_src); ++ if (is_src) + aport = get_client_port(&subs->info.dest, &c); +- } else { +- subs = list_entry(p, struct snd_seq_subscribers, dest_list); ++ else + aport = get_client_port(&subs->info.sender, &c); +- } +- list_del(p); +- unsubscribe_port(client, port, grp, &subs->info, 0); ++ delete_and_unsubscribe_port(client, port, subs, is_src, false); ++ + if (!aport) { + /* looks like the connected port is being deleted. + * we decrease the counter, and when both ports are deleted +@@ -237,21 +245,14 @@ static void clear_subscriber_list(struct snd_seq_client *client, + */ + if (atomic_dec_and_test(&subs->ref_count)) + kfree(subs); +- } else { +- /* ok we got the connected port */ +- struct snd_seq_port_subs_info *agrp; +- agrp = (grptype == SRC_LIST) ? &aport->c_dest : &aport->c_src; +- down_write(&agrp->list_mutex); +- if (grptype == SRC_LIST) +- list_del(&subs->dest_list); +- else +- list_del(&subs->src_list); +- up_write(&agrp->list_mutex); +- unsubscribe_port(c, aport, agrp, &subs->info, 1); +- kfree(subs); +- snd_seq_port_unlock(aport); +- snd_seq_client_unlock(c); ++ continue; + } ++ ++ /* ok we got the connected port */ ++ delete_and_unsubscribe_port(c, aport, subs, !is_src, true); ++ kfree(subs); ++ snd_seq_port_unlock(aport); ++ snd_seq_client_unlock(c); + } + } + +@@ -264,8 +265,8 @@ static int port_delete(struct snd_seq_client *client, + snd_use_lock_sync(&port->use_lock); + + /* clear subscribers info */ +- clear_subscriber_list(client, port, &port->c_src, SRC_LIST); +- clear_subscriber_list(client, port, &port->c_dest, DEST_LIST); ++ clear_subscriber_list(client, port, &port->c_src, true); ++ clear_subscriber_list(client, port, &port->c_dest, false); + + if (port->private_free) + port->private_free(port->private_data); +@@ -484,85 +485,120 @@ static int match_subs_info(struct snd_seq_port_subscribe *r, + return 0; + } + +- +-/* connect two ports */ +-int snd_seq_port_connect(struct snd_seq_client *connector, +- struct snd_seq_client *src_client, +- struct snd_seq_client_port *src_port, +- struct snd_seq_client *dest_client, +- struct snd_seq_client_port *dest_port, +- struct snd_seq_port_subscribe *info) ++static int check_and_subscribe_port(struct snd_seq_client *client, ++ struct snd_seq_client_port *port, ++ struct snd_seq_subscribers *subs, ++ bool is_src, bool exclusive, bool ack) + { +- struct snd_seq_port_subs_info *src = &src_port->c_src; +- struct snd_seq_port_subs_info *dest = &dest_port->c_dest; +- struct snd_seq_subscribers *subs, *s; +- int err, src_called = 0; +- unsigned long flags; +- int exclusive; ++ struct snd_seq_port_subs_info *grp; ++ struct list_head *p; ++ struct snd_seq_subscribers *s; ++ int err; + +- subs = kzalloc(sizeof(*subs), GFP_KERNEL); +- if (! subs) +- return -ENOMEM; +- +- subs->info = *info; +- atomic_set(&subs->ref_count, 2); +- +- down_write(&src->list_mutex); +- down_write_nested(&dest->list_mutex, SINGLE_DEPTH_NESTING); +- +- exclusive = info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE ? 1 : 0; ++ grp = is_src ? &port->c_src : &port->c_dest; + err = -EBUSY; ++ down_write(&grp->list_mutex); + if (exclusive) { +- if (! list_empty(&src->list_head) || ! list_empty(&dest->list_head)) ++ if (!list_empty(&grp->list_head)) + goto __error; + } else { +- if (src->exclusive || dest->exclusive) ++ if (grp->exclusive) + goto __error; + /* check whether already exists */ +- list_for_each_entry(s, &src->list_head, src_list) { +- if (match_subs_info(info, &s->info)) +- goto __error; +- } +- list_for_each_entry(s, &dest->list_head, dest_list) { +- if (match_subs_info(info, &s->info)) ++ list_for_each(p, &grp->list_head) { ++ s = get_subscriber(p, is_src); ++ if (match_subs_info(&subs->info, &s->info)) + goto __error; + } + } + +- if ((err = subscribe_port(src_client, src_port, src, info, +- connector->number != src_client->number)) < 0) +- goto __error; +- src_called = 1; +- +- if ((err = subscribe_port(dest_client, dest_port, dest, info, +- connector->number != dest_client->number)) < 0) ++ err = subscribe_port(client, port, grp, &subs->info, ack); ++ if (err < 0) { ++ grp->exclusive = 0; + goto __error; ++ } + + /* add to list */ +- write_lock_irqsave(&src->list_lock, flags); +- // write_lock(&dest->list_lock); // no other lock yet +- list_add_tail(&subs->src_list, &src->list_head); +- list_add_tail(&subs->dest_list, &dest->list_head); +- // write_unlock(&dest->list_lock); // no other lock yet +- write_unlock_irqrestore(&src->list_lock, flags); ++ write_lock_irq(&grp->list_lock); ++ if (is_src) ++ list_add_tail(&subs->src_list, &grp->list_head); ++ else ++ list_add_tail(&subs->dest_list, &grp->list_head); ++ grp->exclusive = exclusive; ++ atomic_inc(&subs->ref_count); ++ write_unlock_irq(&grp->list_lock); ++ err = 0; ++ ++ __error: ++ up_write(&grp->list_mutex); ++ return err; ++} + +- src->exclusive = dest->exclusive = exclusive; ++static void delete_and_unsubscribe_port(struct snd_seq_client *client, ++ struct snd_seq_client_port *port, ++ struct snd_seq_subscribers *subs, ++ bool is_src, bool ack) ++{ ++ struct snd_seq_port_subs_info *grp; ++ ++ grp = is_src ? &port->c_src : &port->c_dest; ++ down_write(&grp->list_mutex); ++ write_lock_irq(&grp->list_lock); ++ if (is_src) ++ list_del(&subs->src_list); ++ else ++ list_del(&subs->dest_list); ++ grp->exclusive = 0; ++ write_unlock_irq(&grp->list_lock); ++ up_write(&grp->list_mutex); ++ ++ unsubscribe_port(client, port, grp, &subs->info, ack); ++} ++ ++/* connect two ports */ ++int snd_seq_port_connect(struct snd_seq_client *connector, ++ struct snd_seq_client *src_client, ++ struct snd_seq_client_port *src_port, ++ struct snd_seq_client *dest_client, ++ struct snd_seq_client_port *dest_port, ++ struct snd_seq_port_subscribe *info) ++{ ++ struct snd_seq_subscribers *subs; ++ bool exclusive; ++ int err; ++ ++ subs = kzalloc(sizeof(*subs), GFP_KERNEL); ++ if (!subs) ++ return -ENOMEM; ++ ++ subs->info = *info; ++ atomic_set(&subs->ref_count, 0); ++ INIT_LIST_HEAD(&subs->src_list); ++ INIT_LIST_HEAD(&subs->dest_list); ++ ++ exclusive = !!(info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE); ++ ++ err = check_and_subscribe_port(src_client, src_port, subs, true, ++ exclusive, ++ connector->number != src_client->number); ++ if (err < 0) ++ goto error; ++ err = check_and_subscribe_port(dest_client, dest_port, subs, false, ++ exclusive, ++ connector->number != dest_client->number); ++ if (err < 0) ++ goto error_dest; + +- up_write(&dest->list_mutex); +- up_write(&src->list_mutex); + return 0; + +- __error: +- if (src_called) +- unsubscribe_port(src_client, src_port, src, info, +- connector->number != src_client->number); ++ error_dest: ++ delete_and_unsubscribe_port(src_client, src_port, subs, true, ++ connector->number != src_client->number); ++ error: + kfree(subs); +- up_write(&dest->list_mutex); +- up_write(&src->list_mutex); + return err; + } + +- + /* remove the connection */ + int snd_seq_port_disconnect(struct snd_seq_client *connector, + struct snd_seq_client *src_client, +@@ -572,37 +608,28 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, + struct snd_seq_port_subscribe *info) + { + struct snd_seq_port_subs_info *src = &src_port->c_src; +- struct snd_seq_port_subs_info *dest = &dest_port->c_dest; + struct snd_seq_subscribers *subs; + int err = -ENOENT; +- unsigned long flags; + + down_write(&src->list_mutex); +- down_write_nested(&dest->list_mutex, SINGLE_DEPTH_NESTING); +- + /* look for the connection */ + list_for_each_entry(subs, &src->list_head, src_list) { + if (match_subs_info(info, &subs->info)) { +- write_lock_irqsave(&src->list_lock, flags); +- // write_lock(&dest->list_lock); // no lock yet +- list_del(&subs->src_list); +- list_del(&subs->dest_list); +- // write_unlock(&dest->list_lock); +- write_unlock_irqrestore(&src->list_lock, flags); +- src->exclusive = dest->exclusive = 0; +- unsubscribe_port(src_client, src_port, src, info, +- connector->number != src_client->number); +- unsubscribe_port(dest_client, dest_port, dest, info, +- connector->number != dest_client->number); +- kfree(subs); ++ atomic_dec(&subs->ref_count); /* mark as not ready */ + err = 0; + break; + } + } +- +- up_write(&dest->list_mutex); + up_write(&src->list_mutex); +- return err; ++ if (err < 0) ++ return err; ++ ++ delete_and_unsubscribe_port(src_client, src_port, subs, true, ++ connector->number != src_client->number); ++ delete_and_unsubscribe_port(dest_client, dest_port, subs, false, ++ connector->number != dest_client->number); ++ kfree(subs); ++ return 0; + } + + +diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c +index 24d44b2f61ac..6ec30a98a92a 100644 +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -92,6 +92,9 @@ void snd_seq_timer_delete(struct snd_seq_timer **tmr) + + void snd_seq_timer_defaults(struct snd_seq_timer * tmr) + { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&tmr->lock, flags); + /* setup defaults */ + tmr->ppq = 96; /* 96 PPQ */ + tmr->tempo = 500000; /* 120 BPM */ +@@ -107,21 +110,25 @@ void snd_seq_timer_defaults(struct snd_seq_timer * tmr) + tmr->preferred_resolution = seq_default_timer_resolution; + + tmr->skew = tmr->skew_base = SKEW_BASE; ++ spin_unlock_irqrestore(&tmr->lock, flags); + } + +-void snd_seq_timer_reset(struct snd_seq_timer * tmr) ++static void seq_timer_reset(struct snd_seq_timer *tmr) + { +- unsigned long flags; +- +- spin_lock_irqsave(&tmr->lock, flags); +- + /* reset time & songposition */ + tmr->cur_time.tv_sec = 0; + tmr->cur_time.tv_nsec = 0; + + tmr->tick.cur_tick = 0; + tmr->tick.fraction = 0; ++} ++ ++void snd_seq_timer_reset(struct snd_seq_timer *tmr) ++{ ++ unsigned long flags; + ++ spin_lock_irqsave(&tmr->lock, flags); ++ seq_timer_reset(tmr); + spin_unlock_irqrestore(&tmr->lock, flags); + } + +@@ -140,8 +147,11 @@ static void snd_seq_timer_interrupt(struct snd_timer_instance *timeri, + tmr = q->timer; + if (tmr == NULL) + return; +- if (!tmr->running) ++ spin_lock_irqsave(&tmr->lock, flags); ++ if (!tmr->running) { ++ spin_unlock_irqrestore(&tmr->lock, flags); + return; ++ } + + resolution *= ticks; + if (tmr->skew != tmr->skew_base) { +@@ -150,8 +160,6 @@ static void snd_seq_timer_interrupt(struct snd_timer_instance *timeri, + (((resolution & 0xffff) * tmr->skew) >> 16); + } + +- spin_lock_irqsave(&tmr->lock, flags); +- + /* update timer */ + snd_seq_inc_time_nsec(&tmr->cur_time, resolution); + +@@ -298,26 +306,30 @@ int snd_seq_timer_open(struct snd_seq_queue *q) + t->callback = snd_seq_timer_interrupt; + t->callback_data = q; + t->flags |= SNDRV_TIMER_IFLG_AUTO; ++ spin_lock_irq(&tmr->lock); + tmr->timeri = t; ++ spin_unlock_irq(&tmr->lock); + return 0; + } + + int snd_seq_timer_close(struct snd_seq_queue *q) + { + struct snd_seq_timer *tmr; ++ struct snd_timer_instance *t; + + tmr = q->timer; + if (snd_BUG_ON(!tmr)) + return -EINVAL; +- if (tmr->timeri) { +- snd_timer_stop(tmr->timeri); +- snd_timer_close(tmr->timeri); +- tmr->timeri = NULL; +- } ++ spin_lock_irq(&tmr->lock); ++ t = tmr->timeri; ++ tmr->timeri = NULL; ++ spin_unlock_irq(&tmr->lock); ++ if (t) ++ snd_timer_close(t); + return 0; + } + +-int snd_seq_timer_stop(struct snd_seq_timer * tmr) ++static int seq_timer_stop(struct snd_seq_timer *tmr) + { + if (! tmr->timeri) + return -EINVAL; +@@ -328,6 +340,17 @@ int snd_seq_timer_stop(struct snd_seq_timer * tmr) + return 0; + } + ++int snd_seq_timer_stop(struct snd_seq_timer *tmr) ++{ ++ unsigned long flags; ++ int err; ++ ++ spin_lock_irqsave(&tmr->lock, flags); ++ err = seq_timer_stop(tmr); ++ spin_unlock_irqrestore(&tmr->lock, flags); ++ return err; ++} ++ + static int initialize_timer(struct snd_seq_timer *tmr) + { + struct snd_timer *t; +@@ -360,13 +383,13 @@ static int initialize_timer(struct snd_seq_timer *tmr) + return 0; + } + +-int snd_seq_timer_start(struct snd_seq_timer * tmr) ++static int seq_timer_start(struct snd_seq_timer *tmr) + { + if (! tmr->timeri) + return -EINVAL; + if (tmr->running) +- snd_seq_timer_stop(tmr); +- snd_seq_timer_reset(tmr); ++ seq_timer_stop(tmr); ++ seq_timer_reset(tmr); + if (initialize_timer(tmr) < 0) + return -EINVAL; + snd_timer_start(tmr->timeri, tmr->ticks); +@@ -375,14 +398,25 @@ int snd_seq_timer_start(struct snd_seq_timer * tmr) + return 0; + } + +-int snd_seq_timer_continue(struct snd_seq_timer * tmr) ++int snd_seq_timer_start(struct snd_seq_timer *tmr) ++{ ++ unsigned long flags; ++ int err; ++ ++ spin_lock_irqsave(&tmr->lock, flags); ++ err = seq_timer_start(tmr); ++ spin_unlock_irqrestore(&tmr->lock, flags); ++ return err; ++} ++ ++static int seq_timer_continue(struct snd_seq_timer *tmr) + { + if (! tmr->timeri) + return -EINVAL; + if (tmr->running) + return -EBUSY; + if (! tmr->initialized) { +- snd_seq_timer_reset(tmr); ++ seq_timer_reset(tmr); + if (initialize_timer(tmr) < 0) + return -EINVAL; + } +@@ -392,11 +426,24 @@ int snd_seq_timer_continue(struct snd_seq_timer * tmr) + return 0; + } + ++int snd_seq_timer_continue(struct snd_seq_timer *tmr) ++{ ++ unsigned long flags; ++ int err; ++ ++ spin_lock_irqsave(&tmr->lock, flags); ++ err = seq_timer_continue(tmr); ++ spin_unlock_irqrestore(&tmr->lock, flags); ++ return err; ++} ++ + /* return current 'real' time. use timeofday() to get better granularity. */ + snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) + { + snd_seq_real_time_t cur_time; ++ unsigned long flags; + ++ spin_lock_irqsave(&tmr->lock, flags); + cur_time = tmr->cur_time; + if (tmr->running) { + struct timeval tm; +@@ -412,7 +459,7 @@ snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) + } + snd_seq_sanity_real_time(&cur_time); + } +- ++ spin_unlock_irqrestore(&tmr->lock, flags); + return cur_time; + } + +diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c +index 4b50e604276d..0fa691e01384 100644 +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -254,9 +254,13 @@ static int snd_virmidi_output_open(struct snd_rawmidi_substream *substream) + */ + static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream) + { ++ struct snd_virmidi_dev *rdev = substream->rmidi->private_data; + struct snd_virmidi *vmidi = substream->runtime->private_data; +- snd_midi_event_free(vmidi->parser); ++ ++ write_lock_irq(&rdev->filelist_lock); + list_del(&vmidi->list); ++ write_unlock_irq(&rdev->filelist_lock); ++ snd_midi_event_free(vmidi->parser); + substream->runtime->private_data = NULL; + kfree(vmidi); + return 0; +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 4e436fe53afa..d90d8f4b85fe 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -300,8 +300,7 @@ int snd_timer_open(struct snd_timer_instance **ti, + return 0; + } + +-static int _snd_timer_stop(struct snd_timer_instance *timeri, +- int keep_flag, int event); ++static int _snd_timer_stop(struct snd_timer_instance *timeri, int event); + + /* + * close a timer instance +@@ -343,7 +342,7 @@ int snd_timer_close(struct snd_timer_instance *timeri) + spin_unlock_irq(&timer->lock); + mutex_lock(®ister_mutex); + list_del(&timeri->open_list); +- if (timer && list_empty(&timer->open_list_head) && ++ if (list_empty(&timer->open_list_head) && + timer->hw.close) + timer->hw.close(timer); + /* remove slave links */ +@@ -415,7 +414,7 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) + spin_lock_irqsave(&timer->lock, flags); + list_for_each_entry(ts, &ti->slave_active_head, active_list) + if (ts->ccallback) +- ts->ccallback(ti, event + 100, &tstamp, resolution); ++ ts->ccallback(ts, event + 100, &tstamp, resolution); + spin_unlock_irqrestore(&timer->lock, flags); + } + +@@ -444,6 +443,10 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri) + unsigned long flags; + + spin_lock_irqsave(&slave_active_lock, flags); ++ if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) { ++ spin_unlock_irqrestore(&slave_active_lock, flags); ++ return -EBUSY; ++ } + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; + if (timeri->master && timeri->timer) { + spin_lock(&timeri->timer->lock); +@@ -468,23 +471,30 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks) + return -EINVAL; + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { + result = snd_timer_start_slave(timeri); +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); ++ if (result >= 0) ++ snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); + return result; + } + timer = timeri->timer; + if (timer == NULL) + return -EINVAL; + spin_lock_irqsave(&timer->lock, flags); ++ if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | ++ SNDRV_TIMER_IFLG_START)) { ++ result = -EBUSY; ++ goto unlock; ++ } + timeri->ticks = timeri->cticks = ticks; + timeri->pticks = 0; + result = snd_timer_start1(timer, timeri, ticks); ++ unlock: + spin_unlock_irqrestore(&timer->lock, flags); +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); ++ if (result >= 0) ++ snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); + return result; + } + +-static int _snd_timer_stop(struct snd_timer_instance * timeri, +- int keep_flag, int event) ++static int _snd_timer_stop(struct snd_timer_instance *timeri, int event) + { + struct snd_timer *timer; + unsigned long flags; +@@ -493,19 +503,30 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, + return -ENXIO; + + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { +- if (!keep_flag) { +- spin_lock_irqsave(&slave_active_lock, flags); +- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; +- list_del_init(&timeri->ack_list); +- list_del_init(&timeri->active_list); ++ spin_lock_irqsave(&slave_active_lock, flags); ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) { + spin_unlock_irqrestore(&slave_active_lock, flags); ++ return -EBUSY; + } ++ if (timeri->timer) ++ spin_lock(&timeri->timer->lock); ++ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); ++ if (timeri->timer) ++ spin_unlock(&timeri->timer->lock); ++ spin_unlock_irqrestore(&slave_active_lock, flags); + goto __end; + } + timer = timeri->timer; + if (!timer) + return -EINVAL; + spin_lock_irqsave(&timer->lock, flags); ++ if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | ++ SNDRV_TIMER_IFLG_START))) { ++ spin_unlock_irqrestore(&timer->lock, flags); ++ return -EBUSY; ++ } + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) && +@@ -520,9 +541,7 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, + } + } + } +- if (!keep_flag) +- timeri->flags &= +- ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); ++ timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); + spin_unlock_irqrestore(&timer->lock, flags); + __end: + if (event != SNDRV_TIMER_EVENT_RESOLUTION) +@@ -541,7 +560,7 @@ int snd_timer_stop(struct snd_timer_instance *timeri) + unsigned long flags; + int err; + +- err = _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_STOP); ++ err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP); + if (err < 0) + return err; + timer = timeri->timer; +@@ -571,10 +590,15 @@ int snd_timer_continue(struct snd_timer_instance *timeri) + if (! timer) + return -EINVAL; + spin_lock_irqsave(&timer->lock, flags); ++ if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) { ++ result = -EBUSY; ++ goto unlock; ++ } + if (!timeri->cticks) + timeri->cticks = 1; + timeri->pticks = 0; + result = snd_timer_start1(timer, timeri, timer->sticks); ++ unlock: + spin_unlock_irqrestore(&timer->lock, flags); + snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE); + return result; +@@ -585,7 +609,7 @@ int snd_timer_continue(struct snd_timer_instance *timeri) + */ + int snd_timer_pause(struct snd_timer_instance * timeri) + { +- return _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_PAUSE); ++ return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE); + } + + /* +@@ -702,8 +726,8 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) + ti->cticks = ti->ticks; + } else { + ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; +- if (--timer->running) +- list_del_init(&ti->active_list); ++ --timer->running; ++ list_del_init(&ti->active_list); + } + if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || + (ti->flags & SNDRV_TIMER_IFLG_FAST)) +diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c +index 915b4d7fbb23..8946cef245fc 100644 +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -109,6 +109,9 @@ struct dummy_timer_ops { + snd_pcm_uframes_t (*pointer)(struct snd_pcm_substream *); + }; + ++#define get_dummy_ops(substream) \ ++ (*(const struct dummy_timer_ops **)(substream)->runtime->private_data) ++ + struct dummy_model { + const char *name; + int (*playback_constraints)(struct snd_pcm_runtime *runtime); +@@ -137,7 +140,6 @@ struct snd_dummy { + int iobox; + struct snd_kcontrol *cd_volume_ctl; + struct snd_kcontrol *cd_switch_ctl; +- const struct dummy_timer_ops *timer_ops; + }; + + /* +@@ -231,6 +233,8 @@ struct dummy_model *dummy_models[] = { + */ + + struct dummy_systimer_pcm { ++ /* ops must be the first item */ ++ const struct dummy_timer_ops *timer_ops; + spinlock_t lock; + struct timer_list timer; + unsigned long base_time; +@@ -368,6 +372,8 @@ static struct dummy_timer_ops dummy_systimer_ops = { + */ + + struct dummy_hrtimer_pcm { ++ /* ops must be the first item */ ++ const struct dummy_timer_ops *timer_ops; + ktime_t base_time; + ktime_t period_time; + atomic_t running; +@@ -494,31 +500,25 @@ static struct dummy_timer_ops dummy_hrtimer_ops = { + + static int dummy_pcm_trigger(struct snd_pcm_substream *substream, int cmd) + { +- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); +- + switch (cmd) { + case SNDRV_PCM_TRIGGER_START: + case SNDRV_PCM_TRIGGER_RESUME: +- return dummy->timer_ops->start(substream); ++ return get_dummy_ops(substream)->start(substream); + case SNDRV_PCM_TRIGGER_STOP: + case SNDRV_PCM_TRIGGER_SUSPEND: +- return dummy->timer_ops->stop(substream); ++ return get_dummy_ops(substream)->stop(substream); + } + return -EINVAL; + } + + static int dummy_pcm_prepare(struct snd_pcm_substream *substream) + { +- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); +- +- return dummy->timer_ops->prepare(substream); ++ return get_dummy_ops(substream)->prepare(substream); + } + + static snd_pcm_uframes_t dummy_pcm_pointer(struct snd_pcm_substream *substream) + { +- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); +- +- return dummy->timer_ops->pointer(substream); ++ return get_dummy_ops(substream)->pointer(substream); + } + + static struct snd_pcm_hardware dummy_pcm_hardware = { +@@ -564,17 +564,19 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) + struct snd_dummy *dummy = snd_pcm_substream_chip(substream); + struct dummy_model *model = dummy->model; + struct snd_pcm_runtime *runtime = substream->runtime; ++ const struct dummy_timer_ops *ops; + int err; + +- dummy->timer_ops = &dummy_systimer_ops; ++ ops = &dummy_systimer_ops; + #ifdef CONFIG_HIGH_RES_TIMERS + if (hrtimer) +- dummy->timer_ops = &dummy_hrtimer_ops; ++ ops = &dummy_hrtimer_ops; + #endif + +- err = dummy->timer_ops->create(substream); ++ err = ops->create(substream); + if (err < 0) + return err; ++ get_dummy_ops(substream) = ops; + + runtime->hw = dummy->pcm_hw; + if (substream->pcm->device & 1) { +@@ -596,7 +598,7 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) + err = model->capture_constraints(substream->runtime); + } + if (err < 0) { +- dummy->timer_ops->free(substream); ++ get_dummy_ops(substream)->free(substream); + return err; + } + return 0; +@@ -604,8 +606,7 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) + + static int dummy_pcm_close(struct snd_pcm_substream *substream) + { +- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); +- dummy->timer_ops->free(substream); ++ get_dummy_ops(substream)->free(substream); + return 0; + } + +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index 3c90743fa50b..eef182bea2ad 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -617,6 +617,7 @@ enum { + CS4208_MAC_AUTO, + CS4208_MBA6, + CS4208_MBP11, ++ CS4208_MACMINI, + CS4208_GPIO0, + }; + +@@ -624,6 +625,7 @@ static const struct hda_model_fixup cs4208_models[] = { + { .id = CS4208_GPIO0, .name = "gpio0" }, + { .id = CS4208_MBA6, .name = "mba6" }, + { .id = CS4208_MBP11, .name = "mbp11" }, ++ { .id = CS4208_MACMINI, .name = "macmini" }, + {} + }; + +@@ -635,6 +637,7 @@ static const struct snd_pci_quirk cs4208_fixup_tbl[] = { + /* codec SSID matching */ + static const struct snd_pci_quirk cs4208_mac_fixup_tbl[] = { + SND_PCI_QUIRK(0x106b, 0x5e00, "MacBookPro 11,2", CS4208_MBP11), ++ SND_PCI_QUIRK(0x106b, 0x6c00, "MacMini 7,1", CS4208_MACMINI), + SND_PCI_QUIRK(0x106b, 0x7100, "MacBookAir 6,1", CS4208_MBA6), + SND_PCI_QUIRK(0x106b, 0x7200, "MacBookAir 6,2", CS4208_MBA6), + SND_PCI_QUIRK(0x106b, 0x7b00, "MacBookPro 12,1", CS4208_MBP11), +@@ -667,6 +670,24 @@ static void cs4208_fixup_mac(struct hda_codec *codec, + snd_hda_apply_fixup(codec, action); + } + ++/* MacMini 7,1 has the inverted jack detection */ ++static void cs4208_fixup_macmini(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x18, 0x00ab9150 }, /* mic (audio-in) jack: disable detect */ ++ { 0x21, 0x004be140 }, /* SPDIF: disable detect */ ++ { } ++ }; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ /* HP pin (0x10) has an inverted detection */ ++ codec->inv_jack_detect = 1; ++ /* disable the bogus Mic and SPDIF jack detections */ ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ } ++} ++ + static int cs4208_spdif_sw_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { +@@ -710,6 +731,12 @@ static const struct hda_fixup cs4208_fixups[] = { + .chained = true, + .chain_id = CS4208_GPIO0, + }, ++ [CS4208_MACMINI] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cs4208_fixup_macmini, ++ .chained = true, ++ .chain_id = CS4208_GPIO0, ++ }, + [CS4208_GPIO0] = { + .type = HDA_FIXUP_FUNC, + .v.func = cs4208_fixup_gpio0, +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 611110a3f1a4..55ce39df9cd7 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -426,7 +426,8 @@ static int hdmi_eld_ctl_get(struct snd_kcontrol *kcontrol, + eld = &per_pin->sink_eld; + + mutex_lock(&per_pin->lock); +- if (eld->eld_size > ARRAY_SIZE(ucontrol->value.bytes.data)) { ++ if (eld->eld_size > ARRAY_SIZE(ucontrol->value.bytes.data) || ++ eld->eld_size > ELD_MAX_SIZE) { + mutex_unlock(&per_pin->lock); + snd_BUG(); + return -EINVAL; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index bd0b986f7d50..eeb5b68e9e3e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2266,6 +2266,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT), + SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP), + SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP), ++ SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP), + + /* All Apple entries are in codec SSIDs */ + SND_PCI_QUIRK(0x106b, 0x00a0, "MacBookPro 3,1", ALC889_FIXUP_MBP_VREF), +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index e28704e1274a..431a89b75ff3 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1404,7 +1404,8 @@ int dpcm_be_dai_hw_free(struct snd_soc_pcm_runtime *fe, int stream) + (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PREPARE) && + (be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) && + (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED) && +- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP)) ++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP) && ++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND)) + continue; + + dev_dbg(be->dev, "ASoC: hw_free BE %s\n", +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 9123fc518f07..424c1e874bd3 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -2365,7 +2365,6 @@ int snd_usbmidi_create(struct snd_card *card, + else + err = snd_usbmidi_create_endpoints(umidi, endpoints); + if (err < 0) { +- snd_usbmidi_free(umidi); + return err; + } + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 901f87dea827..9a599b1bc6ba 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1128,8 +1128,12 @@ void snd_usb_set_interface_quirk(struct usb_device *dev) + * "Playback Design" products need a 50ms delay after setting the + * USB interface. + */ +- if (le16_to_cpu(dev->descriptor.idVendor) == 0x23ba) ++ switch (le16_to_cpu(dev->descriptor.idVendor)) { ++ case 0x23ba: /* Playback Design */ ++ case 0x0644: /* TEAC Corp. */ + mdelay(50); ++ break; ++ } + } + + void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, +@@ -1144,6 +1148,14 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + ++ /* ++ * "TEAC Corp." products need a 20ms delay after each ++ * class compliant request ++ */ ++ if ((le16_to_cpu(dev->descriptor.idVendor) == 0x0644) && ++ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) ++ mdelay(20); ++ + /* Marantz/Denon devices with USB DAC functionality need a delay + * after each class compliant request + */ diff --git a/patch/kernel/cubox-dev/patch-3.14.61-62.patch b/patch/kernel/cubox-dev/patch-3.14.61-62.patch new file mode 100644 index 000000000..0ff567447 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.61-62.patch @@ -0,0 +1,2180 @@ +diff --git a/Makefile b/Makefile +index fbf4ec689957..b738f644c71e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 61 ++SUBLEVEL = 62 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/boot/dts/kirkwood-ts219.dtsi b/arch/arm/boot/dts/kirkwood-ts219.dtsi +index 911f3a8cee23..f4227da77265 100644 +--- a/arch/arm/boot/dts/kirkwood-ts219.dtsi ++++ b/arch/arm/boot/dts/kirkwood-ts219.dtsi +@@ -47,7 +47,7 @@ + }; + poweroff@12100 { + compatible = "qnap,power-off"; +- reg = <0x12000 0x100>; ++ reg = <0x12100 0x100>; + clocks = <&gate_clk 7>; + }; + spi@10600 { +diff --git a/arch/arm/common/icst.c b/arch/arm/common/icst.c +index 2dc6da70ae59..d7ed252708c5 100644 +--- a/arch/arm/common/icst.c ++++ b/arch/arm/common/icst.c +@@ -16,7 +16,7 @@ + */ + #include + #include +- ++#include + #include + + /* +@@ -29,7 +29,11 @@ EXPORT_SYMBOL(icst525_s2div); + + unsigned long icst_hz(const struct icst_params *p, struct icst_vco vco) + { +- return p->ref * 2 * (vco.v + 8) / ((vco.r + 2) * p->s2div[vco.s]); ++ u64 dividend = p->ref * 2 * (u64)(vco.v + 8); ++ u32 divisor = (vco.r + 2) * p->s2div[vco.s]; ++ ++ do_div(dividend, divisor); ++ return (unsigned long)dividend; + } + + EXPORT_SYMBOL(icst_hz); +@@ -58,6 +62,7 @@ icst_hz_to_vco(const struct icst_params *p, unsigned long freq) + + if (f > p->vco_min && f <= p->vco_max) + break; ++ i++; + } while (i < 8); + + if (i >= 8) +diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S +index fdedc31e0f40..093eff182d63 100644 +--- a/arch/arm/mm/proc-v7.S ++++ b/arch/arm/mm/proc-v7.S +@@ -95,7 +95,7 @@ ENDPROC(cpu_v7_dcache_clean_area) + .equ cpu_v7_suspend_size, 4 * 9 + #ifdef CONFIG_ARM_CPU_SUSPEND + ENTRY(cpu_v7_do_suspend) +- stmfd sp!, {r4 - r10, lr} ++ stmfd sp!, {r4 - r11, lr} + mrc p15, 0, r4, c13, c0, 0 @ FCSE/PID + mrc p15, 0, r5, c13, c0, 3 @ User r/o thread ID + stmia r0!, {r4 - r5} +@@ -112,7 +112,7 @@ ENTRY(cpu_v7_do_suspend) + mrc p15, 0, r9, c1, c0, 1 @ Auxiliary control register + mrc p15, 0, r10, c1, c0, 2 @ Co-processor access control + stmia r0, {r5 - r11} +- ldmfd sp!, {r4 - r10, pc} ++ ldmfd sp!, {r4 - r11, pc} + ENDPROC(cpu_v7_do_suspend) + + ENTRY(cpu_v7_do_resume) +diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c +index 0392112a5d70..a5ecef7188ba 100644 +--- a/arch/m32r/kernel/setup.c ++++ b/arch/m32r/kernel/setup.c +@@ -81,7 +81,10 @@ static struct resource code_resource = { + }; + + unsigned long memory_start; ++EXPORT_SYMBOL(memory_start); ++ + unsigned long memory_end; ++EXPORT_SYMBOL(memory_end); + + void __init setup_arch(char **); + int get_cpuinfo(char *); +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index 818dce344e82..b3bad672e5d9 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1805,7 +1805,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) + + /* Emulate H_SET_DABR/X on P8 for the sake of compat mode guests */ + 2: rlwimi r5, r4, 5, DAWRX_DR | DAWRX_DW +- rlwimi r5, r4, 1, DAWRX_WT ++ rlwimi r5, r4, 2, DAWRX_WT + clrrdi r4, r4, 3 + std r4, VCPU_DAWR(r3) + std r5, VCPU_DAWRX(r3) +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index fed892de9baf..bdd2a44fbb1a 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -33,7 +33,7 @@ struct cpa_data { + pgd_t *pgd; + pgprot_t mask_set; + pgprot_t mask_clr; +- int numpages; ++ unsigned long numpages; + int flags; + unsigned long pfn; + unsigned force_split : 1; +@@ -1289,7 +1289,7 @@ static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias) + * CPA operation. Either a large page has been + * preserved or a single page update happened. + */ +- BUG_ON(cpa->numpages > numpages); ++ BUG_ON(cpa->numpages > numpages || !cpa->numpages); + numpages -= cpa->numpages; + if (cpa->flags & (CPA_PAGES_ARRAY | CPA_ARRAY)) + cpa->curpage++; +diff --git a/block/blk-core.c b/block/blk-core.c +index e45b321cf6a0..46be0cddf819 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -3164,6 +3164,9 @@ int blk_pre_runtime_suspend(struct request_queue *q) + { + int ret = 0; + ++ if (!q->dev) ++ return ret; ++ + spin_lock_irq(q->queue_lock); + if (q->nr_pending) { + ret = -EBUSY; +@@ -3191,6 +3194,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend); + */ + void blk_post_runtime_suspend(struct request_queue *q, int err) + { ++ if (!q->dev) ++ return; ++ + spin_lock_irq(q->queue_lock); + if (!err) { + q->rpm_status = RPM_SUSPENDED; +@@ -3215,6 +3221,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend); + */ + void blk_pre_runtime_resume(struct request_queue *q) + { ++ if (!q->dev) ++ return; ++ + spin_lock_irq(q->queue_lock); + q->rpm_status = RPM_RESUMING; + spin_unlock_irq(q->queue_lock); +@@ -3237,6 +3246,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume); + */ + void blk_post_runtime_resume(struct request_queue *q, int err) + { ++ if (!q->dev) ++ return; ++ + spin_lock_irq(q->queue_lock); + if (!err) { + q->rpm_status = RPM_ACTIVE; +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index de5ab4876a89..951ecd52226c 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -3655,6 +3655,7 @@ unlock: + int i915_gem_set_caching_ioctl(struct drm_device *dev, void *data, + struct drm_file *file) + { ++ struct drm_i915_private *dev_priv = dev->dev_private; + struct drm_i915_gem_caching *args = data; + struct drm_i915_gem_object *obj; + enum i915_cache_level level; +@@ -3674,9 +3675,11 @@ int i915_gem_set_caching_ioctl(struct drm_device *dev, void *data, + return -EINVAL; + } + ++ intel_runtime_pm_get(dev_priv); ++ + ret = i915_mutex_lock_interruptible(dev); + if (ret) +- return ret; ++ goto rpm_put; + + obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle)); + if (&obj->base == NULL) { +@@ -3689,6 +3692,9 @@ int i915_gem_set_caching_ioctl(struct drm_device *dev, void *data, + drm_gem_object_unreference(&obj->base); + unlock: + mutex_unlock(&dev->struct_mutex); ++rpm_put: ++ intel_runtime_pm_put(dev_priv); ++ + return ret; + } + +diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c +index 4dddeabdfbb0..5da07546e182 100644 +--- a/drivers/iio/adc/ad7793.c ++++ b/drivers/iio/adc/ad7793.c +@@ -101,7 +101,7 @@ + #define AD7795_CH_AIN1M_AIN1M 8 /* AIN1(-) - AIN1(-) */ + + /* ID Register Bit Designations (AD7793_REG_ID) */ +-#define AD7785_ID 0xB ++#define AD7785_ID 0x3 + #define AD7792_ID 0xA + #define AD7793_ID 0xB + #define AD7794_ID 0xF +diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c +index f03b92fd3803..aac16fecdfa8 100644 +--- a/drivers/iio/dac/ad5064.c ++++ b/drivers/iio/dac/ad5064.c +@@ -113,12 +113,16 @@ enum ad5064_type { + ID_AD5065, + ID_AD5628_1, + ID_AD5628_2, ++ ID_AD5629_1, ++ ID_AD5629_2, + ID_AD5648_1, + ID_AD5648_2, + ID_AD5666_1, + ID_AD5666_2, + ID_AD5668_1, + ID_AD5668_2, ++ ID_AD5669_1, ++ ID_AD5669_2, + }; + + static int ad5064_write(struct ad5064_state *st, unsigned int cmd, +@@ -291,7 +295,7 @@ static const struct iio_chan_spec_ext_info ad5064_ext_info[] = { + { }, + }; + +-#define AD5064_CHANNEL(chan, addr, bits) { \ ++#define AD5064_CHANNEL(chan, addr, bits, _shift) { \ + .type = IIO_VOLTAGE, \ + .indexed = 1, \ + .output = 1, \ +@@ -303,36 +307,39 @@ static const struct iio_chan_spec_ext_info ad5064_ext_info[] = { + .sign = 'u', \ + .realbits = (bits), \ + .storagebits = 16, \ +- .shift = 20 - bits, \ ++ .shift = (_shift), \ + }, \ + .ext_info = ad5064_ext_info, \ + } + +-#define DECLARE_AD5064_CHANNELS(name, bits) \ ++#define DECLARE_AD5064_CHANNELS(name, bits, shift) \ + const struct iio_chan_spec name[] = { \ +- AD5064_CHANNEL(0, 0, bits), \ +- AD5064_CHANNEL(1, 1, bits), \ +- AD5064_CHANNEL(2, 2, bits), \ +- AD5064_CHANNEL(3, 3, bits), \ +- AD5064_CHANNEL(4, 4, bits), \ +- AD5064_CHANNEL(5, 5, bits), \ +- AD5064_CHANNEL(6, 6, bits), \ +- AD5064_CHANNEL(7, 7, bits), \ ++ AD5064_CHANNEL(0, 0, bits, shift), \ ++ AD5064_CHANNEL(1, 1, bits, shift), \ ++ AD5064_CHANNEL(2, 2, bits, shift), \ ++ AD5064_CHANNEL(3, 3, bits, shift), \ ++ AD5064_CHANNEL(4, 4, bits, shift), \ ++ AD5064_CHANNEL(5, 5, bits, shift), \ ++ AD5064_CHANNEL(6, 6, bits, shift), \ ++ AD5064_CHANNEL(7, 7, bits, shift), \ + } + +-#define DECLARE_AD5065_CHANNELS(name, bits) \ ++#define DECLARE_AD5065_CHANNELS(name, bits, shift) \ + const struct iio_chan_spec name[] = { \ +- AD5064_CHANNEL(0, 0, bits), \ +- AD5064_CHANNEL(1, 3, bits), \ ++ AD5064_CHANNEL(0, 0, bits, shift), \ ++ AD5064_CHANNEL(1, 3, bits, shift), \ + } + +-static DECLARE_AD5064_CHANNELS(ad5024_channels, 12); +-static DECLARE_AD5064_CHANNELS(ad5044_channels, 14); +-static DECLARE_AD5064_CHANNELS(ad5064_channels, 16); ++static DECLARE_AD5064_CHANNELS(ad5024_channels, 12, 8); ++static DECLARE_AD5064_CHANNELS(ad5044_channels, 14, 6); ++static DECLARE_AD5064_CHANNELS(ad5064_channels, 16, 4); + +-static DECLARE_AD5065_CHANNELS(ad5025_channels, 12); +-static DECLARE_AD5065_CHANNELS(ad5045_channels, 14); +-static DECLARE_AD5065_CHANNELS(ad5065_channels, 16); ++static DECLARE_AD5065_CHANNELS(ad5025_channels, 12, 8); ++static DECLARE_AD5065_CHANNELS(ad5045_channels, 14, 6); ++static DECLARE_AD5065_CHANNELS(ad5065_channels, 16, 4); ++ ++static DECLARE_AD5064_CHANNELS(ad5629_channels, 12, 4); ++static DECLARE_AD5064_CHANNELS(ad5669_channels, 16, 0); + + static const struct ad5064_chip_info ad5064_chip_info_tbl[] = { + [ID_AD5024] = { +@@ -382,6 +389,18 @@ static const struct ad5064_chip_info ad5064_chip_info_tbl[] = { + .channels = ad5024_channels, + .num_channels = 8, + }, ++ [ID_AD5629_1] = { ++ .shared_vref = true, ++ .internal_vref = 2500000, ++ .channels = ad5629_channels, ++ .num_channels = 8, ++ }, ++ [ID_AD5629_2] = { ++ .shared_vref = true, ++ .internal_vref = 5000000, ++ .channels = ad5629_channels, ++ .num_channels = 8, ++ }, + [ID_AD5648_1] = { + .shared_vref = true, + .internal_vref = 2500000, +@@ -418,6 +437,18 @@ static const struct ad5064_chip_info ad5064_chip_info_tbl[] = { + .channels = ad5064_channels, + .num_channels = 8, + }, ++ [ID_AD5669_1] = { ++ .shared_vref = true, ++ .internal_vref = 2500000, ++ .channels = ad5669_channels, ++ .num_channels = 8, ++ }, ++ [ID_AD5669_2] = { ++ .shared_vref = true, ++ .internal_vref = 5000000, ++ .channels = ad5669_channels, ++ .num_channels = 8, ++ }, + }; + + static inline unsigned int ad5064_num_vref(struct ad5064_state *st) +@@ -598,10 +629,16 @@ static int ad5064_i2c_write(struct ad5064_state *st, unsigned int cmd, + unsigned int addr, unsigned int val) + { + struct i2c_client *i2c = to_i2c_client(st->dev); ++ int ret; + + st->data.i2c[0] = (cmd << 4) | addr; + put_unaligned_be16(val, &st->data.i2c[1]); +- return i2c_master_send(i2c, st->data.i2c, 3); ++ ++ ret = i2c_master_send(i2c, st->data.i2c, 3); ++ if (ret < 0) ++ return ret; ++ ++ return 0; + } + + static int ad5064_i2c_probe(struct i2c_client *i2c, +@@ -617,12 +654,12 @@ static int ad5064_i2c_remove(struct i2c_client *i2c) + } + + static const struct i2c_device_id ad5064_i2c_ids[] = { +- {"ad5629-1", ID_AD5628_1}, +- {"ad5629-2", ID_AD5628_2}, +- {"ad5629-3", ID_AD5628_2}, /* similar enough to ad5629-2 */ +- {"ad5669-1", ID_AD5668_1}, +- {"ad5669-2", ID_AD5668_2}, +- {"ad5669-3", ID_AD5668_2}, /* similar enough to ad5669-2 */ ++ {"ad5629-1", ID_AD5629_1}, ++ {"ad5629-2", ID_AD5629_2}, ++ {"ad5629-3", ID_AD5629_2}, /* similar enough to ad5629-2 */ ++ {"ad5669-1", ID_AD5669_1}, ++ {"ad5669-2", ID_AD5669_2}, ++ {"ad5669-3", ID_AD5669_2}, /* similar enough to ad5669-2 */ + {} + }; + MODULE_DEVICE_TABLE(i2c, ad5064_i2c_ids); +diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c +index 7d9f5c31d2fc..0cedc81be312 100644 +--- a/drivers/iio/dac/mcp4725.c ++++ b/drivers/iio/dac/mcp4725.c +@@ -301,6 +301,7 @@ static int mcp4725_probe(struct i2c_client *client, + data->client = client; + + indio_dev->dev.parent = &client->dev; ++ indio_dev->name = id->name; + indio_dev->info = &mcp4725_info; + indio_dev->channels = &mcp4725_channel; + indio_dev->num_channels = 1; +diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c +index cb32b593f1c5..36607d52fee0 100644 +--- a/drivers/iio/imu/adis_buffer.c ++++ b/drivers/iio/imu/adis_buffer.c +@@ -43,7 +43,7 @@ int adis_update_scan_mode(struct iio_dev *indio_dev, + return -ENOMEM; + + rx = adis->buffer; +- tx = rx + indio_dev->scan_bytes; ++ tx = rx + scan_count; + + spi_message_init(&adis->msg); + +diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c +index 37b52bd44f86..a9164b51b5dc 100644 +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -830,7 +830,7 @@ int iio_scan_mask_set(struct iio_dev *indio_dev, + if (trialmask == NULL) + return -ENOMEM; + if (!indio_dev->masklength) { +- WARN_ON("Trying to set scanmask prior to registering buffer\n"); ++ WARN(1, "Trying to set scanmask prior to registering buffer\n"); + goto err_invalid_mask; + } + bitmap_copy(trialmask, buffer->scan_mask, indio_dev->masklength); +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index acc911a836ca..a7b073b5e263 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -589,7 +589,7 @@ int __iio_device_attr_init(struct device_attribute *dev_attr, + break; + case IIO_SEPARATE: + if (!chan->indexed) { +- WARN_ON("Differential channels must be indexed\n"); ++ WARN(1, "Differential channels must be indexed\n"); + ret = -EINVAL; + goto error_free_full_postfix; + } +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 94eaaf0c49b3..9e497e4041a6 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1111,7 +1111,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) + input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2, + ETP_WMAX_V2, 0, 0); + } +- input_mt_init_slots(dev, 2, 0); ++ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT); + input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0); + input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0); + break; +@@ -1387,6 +1387,13 @@ static const struct dmi_system_id no_hw_res_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "U2442"), + }, + }, ++ { ++ /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), ++ }, ++ }, + #endif + { } + }; +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index dd6d14d2337f..a4baf9677a45 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -258,6 +258,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { + }, + }, + { ++ /* Fujitsu Lifebook U745 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), ++ }, ++ }, ++ { + /* Fujitsu T70H */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c +index 158156543410..2d7bb594626c 100644 +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -986,7 +986,7 @@ void dmar_disable_qi(struct intel_iommu *iommu) + + raw_spin_lock_irqsave(&iommu->register_lock, flags); + +- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); ++ sts = readl(iommu->reg + DMAR_GSTS_REG); + if (!(sts & DMA_GSTS_QIES)) + goto end; + +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index ef5f65dbafe9..ffad080db013 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -489,7 +489,7 @@ static void iommu_disable_irq_remapping(struct intel_iommu *iommu) + + raw_spin_lock_irqsave(&iommu->register_lock, flags); + +- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); ++ sts = readl(iommu->reg + DMAR_GSTS_REG); + if (!(sts & DMA_GSTS_IRES)) + goto end; + +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c +index 5895f1978691..e98de425f8e0 100644 +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -545,16 +545,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty, + + static int x25_asy_open_tty(struct tty_struct *tty) + { +- struct x25_asy *sl = tty->disc_data; ++ struct x25_asy *sl; + int err; + + if (tty->ops->write == NULL) + return -EOPNOTSUPP; + +- /* First make sure we're not already connected. */ +- if (sl && sl->magic == X25_ASY_MAGIC) +- return -EEXIST; +- + /* OK. Find a free X.25 channel to use. */ + sl = x25_asy_alloc(); + if (sl == NULL) +diff --git a/drivers/phy/phy-twl4030-usb.c b/drivers/phy/phy-twl4030-usb.c +index aaac3594f83b..452b637be676 100644 +--- a/drivers/phy/phy-twl4030-usb.c ++++ b/drivers/phy/phy-twl4030-usb.c +@@ -777,6 +777,7 @@ static int twl4030_usb_remove(struct platform_device *pdev) + struct twl4030_usb *twl = platform_get_drvdata(pdev); + int val; + ++ usb_remove_phy(&twl->phy); + pm_runtime_get_sync(twl->dev); + cancel_delayed_work(&twl->id_workaround_work); + device_remove_file(twl->dev, &dev_attr_vbus); +diff --git a/drivers/platform/x86/intel_scu_ipcutil.c b/drivers/platform/x86/intel_scu_ipcutil.c +index 02bc5a6343c3..aa454241489c 100644 +--- a/drivers/platform/x86/intel_scu_ipcutil.c ++++ b/drivers/platform/x86/intel_scu_ipcutil.c +@@ -49,7 +49,7 @@ struct scu_ipc_data { + + static int scu_reg_access(u32 cmd, struct scu_ipc_data *data) + { +- int count = data->count; ++ unsigned int count = data->count; + + if (count == 0 || count == 3 || count > 4) + return -EINVAL; +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c +index 4b9cf93f3fb6..d233170cd439 100644 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -569,7 +569,7 @@ static int mode_select_handle_sense(struct scsi_device *sdev, + /* + * Command Lock contention + */ +- err = SCSI_DH_RETRY; ++ err = SCSI_DH_IMM_RETRY; + break; + default: + break; +@@ -619,6 +619,8 @@ retry: + err = mode_select_handle_sense(sdev, h->sense); + if (err == SCSI_DH_RETRY && retry_cnt--) + goto retry; ++ if (err == SCSI_DH_IMM_RETRY) ++ goto retry; + } + if (err == SCSI_DH_OK) { + h->state = RDAC_STATE_ACTIVE; +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index f28ea070d3df..bd5fd3b7e178 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -308,6 +308,17 @@ static void scsi_host_dev_release(struct device *dev) + kfree(queuedata); + } + ++ if (shost->shost_state == SHOST_CREATED) { ++ /* ++ * Free the shost_dev device name here if scsi_host_alloc() ++ * and scsi_host_put() have been called but neither ++ * scsi_host_add() nor scsi_host_remove() has been called. ++ * This avoids that the memory allocated for the shost_dev ++ * name is leaked. ++ */ ++ kfree(dev_name(&shost->shost_dev)); ++ } ++ + scsi_destroy_command_freelist(shost); + if (shost->bqt) + blk_free_tags(shost->bqt); +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 262ab837a704..8790e8640acd 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -205,6 +205,7 @@ static struct { + {"Intel", "Multi-Flex", NULL, BLIST_NO_RSOC}, + {"iRiver", "iFP Mass Driver", NULL, BLIST_NOT_LOCKABLE | BLIST_INQUIRY_36}, + {"LASOUND", "CDX7405", "3.10", BLIST_MAX5LUN | BLIST_SINGLELUN}, ++ {"Marvell", "Console", NULL, BLIST_SKIP_VPD_PAGES}, + {"MATSHITA", "PD-1", NULL, BLIST_FORCELUN | BLIST_SINGLELUN}, + {"MATSHITA", "DMC-LC5", NULL, BLIST_NOT_LOCKABLE | BLIST_INQUIRY_36}, + {"MATSHITA", "DMC-LC40", NULL, BLIST_NOT_LOCKABLE | BLIST_INQUIRY_36}, +diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c +index a59be67b92d5..88e136c716e9 100644 +--- a/drivers/scsi/scsi_pm.c ++++ b/drivers/scsi/scsi_pm.c +@@ -151,13 +151,13 @@ static int sdev_runtime_suspend(struct device *dev) + struct scsi_device *sdev = to_scsi_device(dev); + int err = 0; + +- if (pm && pm->runtime_suspend) { +- err = blk_pre_runtime_suspend(sdev->request_queue); +- if (err) +- return err; ++ err = blk_pre_runtime_suspend(sdev->request_queue); ++ if (err) ++ return err; ++ if (pm && pm->runtime_suspend) + err = pm->runtime_suspend(dev); +- blk_post_runtime_suspend(sdev->request_queue, err); +- } ++ blk_post_runtime_suspend(sdev->request_queue, err); ++ + return err; + } + +@@ -180,11 +180,11 @@ static int sdev_runtime_resume(struct device *dev) + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + int err = 0; + +- if (pm && pm->runtime_resume) { +- blk_pre_runtime_resume(sdev->request_queue); ++ blk_pre_runtime_resume(sdev->request_queue); ++ if (pm && pm->runtime_resume) + err = pm->runtime_resume(dev); +- blk_post_runtime_resume(sdev->request_queue, err); +- } ++ blk_post_runtime_resume(sdev->request_queue, err); ++ + return err; + } + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 665acbf83693..5706bb89f6a0 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -882,7 +882,7 @@ sdev_store_queue_ramp_up_period(struct device *dev, + return -EINVAL; + + sdev->queue_ramp_up_period = msecs_to_jiffies(period); +- return period; ++ return count; + } + + static struct device_attribute sdev_attr_queue_ramp_up_period = +@@ -1123,31 +1123,25 @@ static void __scsi_remove_target(struct scsi_target *starget) + void scsi_remove_target(struct device *dev) + { + struct Scsi_Host *shost = dev_to_shost(dev->parent); +- struct scsi_target *starget, *last = NULL; ++ struct scsi_target *starget, *last_target = NULL; + unsigned long flags; + +- /* remove targets being careful to lookup next entry before +- * deleting the last +- */ ++restart: + spin_lock_irqsave(shost->host_lock, flags); + list_for_each_entry(starget, &shost->__targets, siblings) { +- if (starget->state == STARGET_DEL) ++ if (starget->state == STARGET_DEL || ++ starget == last_target) + continue; + if (starget->dev.parent == dev || &starget->dev == dev) { +- /* assuming new targets arrive at the end */ + kref_get(&starget->reap_ref); ++ last_target = starget; + spin_unlock_irqrestore(shost->host_lock, flags); +- if (last) +- scsi_target_reap(last); +- last = starget; + __scsi_remove_target(starget); +- spin_lock_irqsave(shost->host_lock, flags); ++ scsi_target_reap(starget); ++ goto restart; + } + } + spin_unlock_irqrestore(shost->host_lock, flags); +- +- if (last) +- scsi_target_reap(last); + } + EXPORT_SYMBOL(scsi_remove_target); + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index a10706409927..614531c14777 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3129,8 +3129,8 @@ static int sd_suspend_common(struct device *dev, bool ignore_stop_errors) + struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); + int ret = 0; + +- if (!sdkp) +- return 0; /* this can happen */ ++ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ ++ return 0; + + if (sdkp->WCE && sdkp->media_present) { + sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); +@@ -3171,6 +3171,9 @@ static int sd_resume(struct device *dev) + struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); + int ret = 0; + ++ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ ++ return 0; ++ + if (!sdkp->device->manage_start_stop) + goto done; + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 721d839d6c54..0be16bf5f0cd 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1258,7 +1258,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma) + } + + sfp->mmap_called = 1; +- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP; + vma->vm_private_data = sfp; + vma->vm_ops = &sg_mmap_vm_ops; + return 0; +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index 40d85929aefe..2d3d11021bb6 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -142,6 +142,9 @@ static int sr_runtime_suspend(struct device *dev) + { + struct scsi_cd *cd = dev_get_drvdata(dev); + ++ if (!cd) /* E.g.: runtime suspend following sr_remove() */ ++ return 0; ++ + if (cd->media_present) + return -EBUSY; + else +@@ -995,6 +998,7 @@ static int sr_remove(struct device *dev) + + blk_queue_prep_rq(cd->device->request_queue, scsi_prep_fn); + del_gendisk(cd->disk); ++ dev_set_drvdata(dev, NULL); + + mutex_lock(&sr_ref_mutex); + kref_put(&cd->kref, sr_kref_release); +diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c +index a876ce755351..22818550efd3 100644 +--- a/drivers/staging/iio/adc/lpc32xx_adc.c ++++ b/drivers/staging/iio/adc/lpc32xx_adc.c +@@ -76,7 +76,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, + + if (mask == IIO_CHAN_INFO_RAW) { + mutex_lock(&indio_dev->mlock); +- clk_enable(info->clk); ++ clk_prepare_enable(info->clk); + /* Measurement setup */ + __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm, + LPC32XX_ADC_SELECT(info->adc_base)); +@@ -84,7 +84,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, + __raw_writel(AD_PDN_CTRL | AD_STROBE, + LPC32XX_ADC_CTRL(info->adc_base)); + wait_for_completion(&info->completion); /* set by ISR */ +- clk_disable(info->clk); ++ clk_disable_unprepare(info->clk); + *val = info->value; + mutex_unlock(&indio_dev->mlock); + +diff --git a/drivers/staging/speakup/selection.c b/drivers/staging/speakup/selection.c +index ca04d3669acc..34a6deef1d6c 100644 +--- a/drivers/staging/speakup/selection.c ++++ b/drivers/staging/speakup/selection.c +@@ -140,7 +140,9 @@ static void __speakup_paste_selection(struct work_struct *work) + struct tty_ldisc *ld; + DECLARE_WAITQUEUE(wait, current); + +- ld = tty_ldisc_ref_wait(tty); ++ ld = tty_ldisc_ref(tty); ++ if (!ld) ++ goto tty_unref; + tty_buffer_lock_exclusive(&vc->port); + + add_wait_queue(&vc->paste_wait, &wait); +@@ -160,6 +162,7 @@ static void __speakup_paste_selection(struct work_struct *work) + + tty_buffer_unlock_exclusive(&vc->port); + tty_ldisc_deref(ld); ++tty_unref: + tty_kref_put(tty); + } + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 9dbf17671439..c066e6e298c3 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4027,6 +4027,17 @@ reject: + return iscsit_add_reject(conn, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); + } + ++static bool iscsi_target_check_conn_state(struct iscsi_conn *conn) ++{ ++ bool ret; ++ ++ spin_lock_bh(&conn->state_lock); ++ ret = (conn->conn_state != TARG_CONN_STATE_LOGGED_IN); ++ spin_unlock_bh(&conn->state_lock); ++ ++ return ret; ++} ++ + int iscsi_target_rx_thread(void *arg) + { + int ret, rc; +@@ -4044,7 +4055,7 @@ int iscsi_target_rx_thread(void *arg) + * incoming iscsi/tcp socket I/O, and/or failing the connection. + */ + rc = wait_for_completion_interruptible(&conn->rx_login_comp); +- if (rc < 0) ++ if (rc < 0 || iscsi_target_check_conn_state(conn)) + return 0; + + if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 1c0088fe9e99..83465617ad6d 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1876,7 +1876,8 @@ static void lio_tpg_release_fabric_acl( + } + + /* +- * Called with spin_lock_bh(struct se_portal_group->session_lock) held.. ++ * Called with spin_lock_irq(struct se_portal_group->session_lock) held ++ * or not held. + * + * Also, this function calls iscsit_inc_session_usage_count() on the + * struct iscsi_session in question. +@@ -1884,19 +1885,32 @@ static void lio_tpg_release_fabric_acl( + static int lio_tpg_shutdown_session(struct se_session *se_sess) + { + struct iscsi_session *sess = se_sess->fabric_sess_ptr; ++ struct se_portal_group *se_tpg = se_sess->se_tpg; ++ bool local_lock = false; ++ ++ if (!spin_is_locked(&se_tpg->session_lock)) { ++ spin_lock_irq(&se_tpg->session_lock); ++ local_lock = true; ++ } + + spin_lock(&sess->conn_lock); + if (atomic_read(&sess->session_fall_back_to_erl0) || + atomic_read(&sess->session_logout) || + (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess->conn_lock); ++ if (local_lock) ++ spin_unlock_irq(&sess->conn_lock); + return 0; + } + atomic_set(&sess->session_reinstatement, 1); + spin_unlock(&sess->conn_lock); + + iscsit_stop_time2retain_timer(sess); ++ spin_unlock_irq(&se_tpg->session_lock); ++ + iscsit_stop_session(sess, 1, 1); ++ if (!local_lock) ++ spin_lock_irq(&se_tpg->session_lock); + + return 1; + } +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index 25ad113c5978..abbac7fe64e2 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -393,6 +393,7 @@ err: + if (login->login_complete) { + if (conn->rx_thread && conn->rx_thread_active) { + send_sig(SIGINT, conn->rx_thread, 1); ++ complete(&conn->rx_login_comp); + kthread_stop(conn->rx_thread); + } + if (conn->tx_thread && conn->tx_thread_active) { +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index e49616eeb1cc..c3f9b9920d8d 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -617,7 +617,14 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty) + /* this is called once with whichever end is closed last */ + static void pty_unix98_shutdown(struct tty_struct *tty) + { +- devpts_kill_index(tty->driver_data, tty->index); ++ struct inode *ptmx_inode; ++ ++ if (tty->driver->subtype == PTY_TYPE_MASTER) ++ ptmx_inode = tty->driver_data; ++ else ++ ptmx_inode = tty->link->driver_data; ++ devpts_kill_index(ptmx_inode, tty->index); ++ devpts_del_ref(ptmx_inode); + } + + static const struct tty_operations ptm_unix98_ops = { +@@ -708,6 +715,18 @@ static int ptmx_open(struct inode *inode, struct file *filp) + set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */ + tty->driver_data = inode; + ++ /* ++ * In the case where all references to ptmx inode are dropped and we ++ * still have /dev/tty opened pointing to the master/slave pair (ptmx ++ * is closed/released before /dev/tty), we must make sure that the inode ++ * is still valid when we call the final pty_unix98_shutdown, thus we ++ * hold an additional reference to the ptmx inode. For the same /dev/tty ++ * last close case, we also need to make sure the super_block isn't ++ * destroyed (devpts instance unmounted), before /dev/tty is closed and ++ * on its release devpts_kill_index is called. ++ */ ++ devpts_add_ref(inode); ++ + tty_add_file(tty, filp); + + slave_inode = devpts_pty_new(inode, +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 996f8f3fd423..1e1fed47eabc 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1613,6 +1613,9 @@ static int pci_eg20t_init(struct pci_dev *dev) + #endif + } + ++#define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358 ++#define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358 ++ + static int + pci_xr17c154_setup(struct serial_private *priv, + const struct pciserial_board *board, +@@ -1622,6 +1625,15 @@ pci_xr17c154_setup(struct serial_private *priv, + return pci_default_setup(priv, board, port, idx); + } + ++static inline int ++xr17v35x_has_slave(struct serial_private *priv) ++{ ++ const int dev_id = priv->dev->device; ++ ++ return ((dev_id == PCI_DEVICE_ID_EXAR_XR17V4358) || ++ (dev_id == PCI_DEVICE_ID_EXAR_XR17V8358)); ++} ++ + static int + pci_xr17v35x_setup(struct serial_private *priv, + const struct pciserial_board *board, +@@ -1636,6 +1648,13 @@ pci_xr17v35x_setup(struct serial_private *priv, + port->port.flags |= UPF_EXAR_EFR; + + /* ++ * Setup the uart clock for the devices on expansion slot to ++ * half the clock speed of the main chip (which is 125MHz) ++ */ ++ if (xr17v35x_has_slave(priv) && idx >= 8) ++ port->port.uartclk = (7812500 * 16 / 2); ++ ++ /* + * Setup Multipurpose Input/Output pins. + */ + if (idx == 0) { +@@ -1772,9 +1791,6 @@ pci_wch_ch353_setup(struct serial_private *priv, + #define PCI_DEVICE_ID_SUNIX_1999 0x1999 + + +-#define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358 +-#define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358 +- + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 27688e3b0a4c..b63507bbf74b 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1523,7 +1523,9 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "HW died, freeing TD."); + urb_priv = urb->hcpriv; +- for (i = urb_priv->td_cnt; i < urb_priv->length; i++) { ++ for (i = urb_priv->td_cnt; ++ i < urb_priv->length && xhci->devs[urb->dev->slot_id]; ++ i++) { + td = urb_priv->td[i]; + if (!list_empty(&td->td_list)) + list_del_init(&td->td_list); +diff --git a/fs/aio.c b/fs/aio.c +index 3241659491b1..0612022162ad 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1375,11 +1375,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb, + unsigned long *nr_segs, + struct iovec *iovec) + { +- if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes))) ++ size_t len = kiocb->ki_nbytes; ++ ++ if (len > MAX_RW_COUNT) ++ len = MAX_RW_COUNT; ++ ++ if (unlikely(!access_ok(!rw, buf, len))) + return -EFAULT; + + iovec->iov_base = buf; +- iovec->iov_len = kiocb->ki_nbytes; ++ iovec->iov_len = len; + *nr_segs = 1; + return 0; + } +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 0529defbdf73..9b8447e4ac3f 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1264,7 +1264,8 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, + read_extent_buffer(eb, dest + bytes_left, + name_off, name_len); + if (eb != eb_in) { +- btrfs_tree_read_unlock_blocking(eb); ++ if (!path->skip_locking) ++ btrfs_tree_read_unlock_blocking(eb); + free_extent_buffer(eb); + } + ret = inode_ref_info(parent, 0, fs_root, path, &found_key); +@@ -1283,9 +1284,10 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, + eb = path->nodes[0]; + /* make sure we can use eb after releasing the path */ + if (eb != eb_in) { +- atomic_inc(&eb->refs); +- btrfs_tree_read_lock(eb); +- btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); ++ if (!path->skip_locking) ++ btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); ++ path->nodes[0] = NULL; ++ path->locks[0] = 0; + } + btrfs_release_path(path); + iref = btrfs_item_ptr(eb, slot, struct btrfs_inode_ref); +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index 12e35566d2fc..cc4790f11795 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1686,7 +1686,7 @@ int btrfs_should_delete_dir_index(struct list_head *del_list, + * + */ + int btrfs_readdir_delayed_dir_index(struct dir_context *ctx, +- struct list_head *ins_list) ++ struct list_head *ins_list, bool *emitted) + { + struct btrfs_dir_item *di; + struct btrfs_delayed_item *curr, *next; +@@ -1730,6 +1730,7 @@ int btrfs_readdir_delayed_dir_index(struct dir_context *ctx, + + if (over) + return 1; ++ *emitted = true; + } + return 0; + } +diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h +index f70119f25421..0167853c84ae 100644 +--- a/fs/btrfs/delayed-inode.h ++++ b/fs/btrfs/delayed-inode.h +@@ -144,7 +144,7 @@ void btrfs_put_delayed_items(struct list_head *ins_list, + int btrfs_should_delete_dir_index(struct list_head *del_list, + u64 index); + int btrfs_readdir_delayed_dir_index(struct dir_context *ctx, +- struct list_head *ins_list); ++ struct list_head *ins_list, bool *emitted); + + /* for init */ + int __init btrfs_delayed_inode_init(void); +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 7f0dcfc58cbf..08824fe6ef44 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5205,6 +5205,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx) + char *name_ptr; + int name_len; + int is_curr = 0; /* ctx->pos points to the current index? */ ++ bool emitted; + + /* FIXME, use a real flag for deciding about the key type */ + if (root->fs_info->tree_root == root) +@@ -5233,6 +5234,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx) + if (ret < 0) + goto err; + ++ emitted = false; + while (1) { + leaf = path->nodes[0]; + slot = path->slots[0]; +@@ -5312,6 +5314,7 @@ skip: + + if (over) + goto nopos; ++ emitted = true; + di_len = btrfs_dir_name_len(leaf, di) + + btrfs_dir_data_len(leaf, di) + sizeof(*di); + di_cur += di_len; +@@ -5324,11 +5327,20 @@ next: + if (key_type == BTRFS_DIR_INDEX_KEY) { + if (is_curr) + ctx->pos++; +- ret = btrfs_readdir_delayed_dir_index(ctx, &ins_list); ++ ret = btrfs_readdir_delayed_dir_index(ctx, &ins_list, &emitted); + if (ret) + goto nopos; + } + ++ /* ++ * If we haven't emitted any dir entry, we must not touch ctx->pos as ++ * it was was set to the termination value in previous call. We assume ++ * that "." and ".." were emitted if we reach this point and set the ++ * termination value as well for an empty directory. ++ */ ++ if (ctx->pos > 2 && !emitted) ++ goto nopos; ++ + /* Reached end of directory/root. Bump pos past the last item. */ + ctx->pos++; + +diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c +index 3299778391fd..0bd335a393f8 100644 +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -710,7 +710,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) + + ses->auth_key.response = kmalloc(baselen + tilen, GFP_KERNEL); + if (!ses->auth_key.response) { +- rc = ENOMEM; ++ rc = -ENOMEM; + ses->auth_key.len = 0; + goto setup_ntlmv2_rsp_ret; + } +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index b334a89d6a66..1320d1ecc630 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -849,6 +849,7 @@ int cifs_readdir(struct file *file, struct dir_context *ctx) + * if buggy server returns . and .. late do we want to + * check for that here? + */ ++ *tmp_buf = 0; + rc = cifs_filldir(current_entry, file, ctx, + tmp_buf, max_len); + if (rc) { +diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c +index a726b9f29cb7..61af24e379ad 100644 +--- a/fs/devpts/inode.c ++++ b/fs/devpts/inode.c +@@ -564,6 +564,26 @@ void devpts_kill_index(struct inode *ptmx_inode, int idx) + mutex_unlock(&allocated_ptys_lock); + } + ++/* ++ * pty code needs to hold extra references in case of last /dev/tty close ++ */ ++ ++void devpts_add_ref(struct inode *ptmx_inode) ++{ ++ struct super_block *sb = pts_sb_from_inode(ptmx_inode); ++ ++ atomic_inc(&sb->s_active); ++ ihold(ptmx_inode); ++} ++ ++void devpts_del_ref(struct inode *ptmx_inode) ++{ ++ struct super_block *sb = pts_sb_from_inode(ptmx_inode); ++ ++ iput(ptmx_inode); ++ deactivate_super(sb); ++} ++ + /** + * devpts_pty_new -- create a new inode in /dev/pts/ + * @ptmx_inode: inode of the master +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 831cb305c63f..ae8ce49c0437 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -186,7 +186,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) + if (flex_gd == NULL) + goto out3; + +- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data)) ++ if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) + goto out2; + flex_gd->count = flexbg_size; + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index d8a60270581c..f9785e3c63ac 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1006,6 +1006,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, + tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes); + flush_dcache_page(page); + ++ iov_iter_advance(ii, tmp); + if (!tmp) { + unlock_page(page); + page_cache_release(page); +@@ -1018,7 +1019,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, + req->page_descs[req->num_pages].length = tmp; + req->num_pages++; + +- iov_iter_advance(ii, tmp); + count += tmp; + pos += tmp; + offset += tmp; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 7b945957e230..45a7dd36b4a6 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1169,6 +1169,7 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s + * Protect the call to nfs4_state_set_mode_locked and + * serialise the stateid update + */ ++ spin_lock(&state->owner->so_lock); + write_seqlock(&state->seqlock); + if (deleg_stateid != NULL) { + nfs4_stateid_copy(&state->stateid, deleg_stateid); +@@ -1177,7 +1178,6 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s + if (open_stateid != NULL) + nfs_set_open_stateid_locked(state, open_stateid, fmode); + write_sequnlock(&state->seqlock); +- spin_lock(&state->owner->so_lock); + update_open_stateflags(state, fmode); + spin_unlock(&state->owner->so_lock); + } +diff --git a/fs/proc/array.c b/fs/proc/array.c +index baf3464bbce0..ca4a64b4b119 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -391,7 +391,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + + state = *get_task_state(task); + vsize = eip = esp = 0; +- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); ++ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); + mm = get_task_mm(task); + if (mm) { + vsize = task_vsize(mm); +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 489ba8caafc0..be78847782c4 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -239,7 +239,7 @@ out: + + static int proc_pid_auxv(struct task_struct *task, char *buffer) + { +- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); ++ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); + int res = PTR_ERR(mm); + if (mm && !IS_ERR(mm)) { + unsigned int nwords = 0; +@@ -269,7 +269,7 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) + wchan = get_wchan(task); + + if (lookup_symbol_name(wchan, symname) < 0) +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + return 0; + else + return sprintf(buffer, "%lu", wchan); +@@ -283,7 +283,7 @@ static int lock_trace(struct task_struct *task) + int err = mutex_lock_killable(&task->signal->cred_guard_mutex); + if (err) + return err; +- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) { ++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) { + mutex_unlock(&task->signal->cred_guard_mutex); + return -EPERM; + } +@@ -557,7 +557,7 @@ static int proc_fd_access_allowed(struct inode *inode) + */ + task = get_proc_task(inode); + if (task) { +- allowed = ptrace_may_access(task, PTRACE_MODE_READ); ++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); + put_task_struct(task); + } + return allowed; +@@ -592,7 +592,7 @@ static bool has_pid_permissions(struct pid_namespace *pid, + return true; + if (in_group_p(pid->pid_gid)) + return true; +- return ptrace_may_access(task, PTRACE_MODE_READ); ++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); + } + + +@@ -707,7 +707,7 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) + if (!task) + return -ESRCH; + +- mm = mm_access(task, mode); ++ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS); + put_task_struct(task); + + if (IS_ERR(mm)) +@@ -1760,7 +1760,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags) + if (!task) + goto out_notask; + +- mm = mm_access(task, PTRACE_MODE_READ); ++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); + if (IS_ERR_OR_NULL(mm)) + goto out; + +@@ -1895,7 +1895,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, + goto out; + + result = -EACCES; +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + goto out_put_task; + + result = -ENOENT; +@@ -1952,7 +1952,7 @@ proc_map_files_readdir(struct file *file, struct dir_context *ctx) + goto out; + + ret = -EACCES; +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + goto out_put_task; + + ret = 0; +@@ -2431,7 +2431,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) + if (result) + return result; + +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) { ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { + result = -EACCES; + goto out_unlock; + } +diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c +index 9ae46b87470d..a05ed26075e3 100644 +--- a/fs/proc/namespaces.c ++++ b/fs/proc/namespaces.c +@@ -119,7 +119,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd) + if (!task) + goto out; + +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + goto out_put_task; + + ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns.ns_ops); +@@ -152,7 +152,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl + if (!task) + goto out; + +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + goto out_put_task; + + len = -ENOENT; +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 142d29e3ccdf..5808bfe95126 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2062,14 +2062,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos, + epos->offset += adsize; + } + ++/* ++ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case ++ * someone does some weird stuff. ++ */ ++#define UDF_MAX_INDIR_EXTS 16 ++ + int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, + struct kernel_lb_addr *eloc, uint32_t *elen, int inc) + { + int8_t etype; ++ unsigned int indirections = 0; + + while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) == + (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) { + int block; ++ ++ if (++indirections > UDF_MAX_INDIR_EXTS) { ++ udf_err(inode->i_sb, ++ "too many indirect extents in inode %lu\n", ++ inode->i_ino); ++ return -1; ++ } ++ + epos->block = *eloc; + epos->offset = sizeof(struct allocExtDesc); + brelse(epos->bh); +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 44b815e57f94..685fbd8a2937 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -132,11 +132,15 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) + if (c < 0x80U) + utf_o->u_name[utf_o->u_len++] = (uint8_t)c; + else if (c < 0x800U) { ++ if (utf_o->u_len > (UDF_NAME_LEN - 4)) ++ break; + utf_o->u_name[utf_o->u_len++] = + (uint8_t)(0xc0 | (c >> 6)); + utf_o->u_name[utf_o->u_len++] = + (uint8_t)(0x80 | (c & 0x3f)); + } else { ++ if (utf_o->u_len > (UDF_NAME_LEN - 5)) ++ break; + utf_o->u_name[utf_o->u_len++] = + (uint8_t)(0xe0 | (c >> 12)); + utf_o->u_name[utf_o->u_len++] = +@@ -177,17 +181,22 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) + static int udf_UTF8toCS0(dstring *ocu, struct ustr *utf, int length) + { + unsigned c, i, max_val, utf_char; +- int utf_cnt, u_len; ++ int utf_cnt, u_len, u_ch; + + memset(ocu, 0, sizeof(dstring) * length); + ocu[0] = 8; + max_val = 0xffU; ++ u_ch = 1; + + try_again: + u_len = 0U; + utf_char = 0U; + utf_cnt = 0U; + for (i = 0U; i < utf->u_len; i++) { ++ /* Name didn't fit? */ ++ if (u_len + 1 + u_ch >= length) ++ return 0; ++ + c = (uint8_t)utf->u_name[i]; + + /* Complete a multi-byte UTF-8 character */ +@@ -229,6 +238,7 @@ try_again: + if (max_val == 0xffU) { + max_val = 0xffffU; + ocu[0] = (uint8_t)0x10U; ++ u_ch = 2; + goto try_again; + } + goto error_out; +@@ -281,7 +291,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, + c = (c << 8) | ocu[i++]; + + len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len], +- UDF_NAME_LEN - utf_o->u_len); ++ UDF_NAME_LEN - 2 - utf_o->u_len); + /* Valid character? */ + if (len >= 0) + utf_o->u_len += len; +@@ -299,15 +309,19 @@ static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni, + int len; + unsigned i, max_val; + uint16_t uni_char; +- int u_len; ++ int u_len, u_ch; + + memset(ocu, 0, sizeof(dstring) * length); + ocu[0] = 8; + max_val = 0xffU; ++ u_ch = 1; + + try_again: + u_len = 0U; + for (i = 0U; i < uni->u_len; i++) { ++ /* Name didn't fit? */ ++ if (u_len + 1 + u_ch >= length) ++ return 0; + len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char); + if (!len) + continue; +@@ -320,6 +334,7 @@ try_again: + if (uni_char > max_val) { + max_val = 0xffffU; + ocu[0] = (uint8_t)0x10U; ++ u_ch = 2; + goto try_again; + } + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 2472740d7ab2..6977192bdb59 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -131,7 +131,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); + */ + #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) ) + #define __trace_if(cond) \ +- if (__builtin_constant_p((cond)) ? !!(cond) : \ ++ if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ + ({ \ + int ______r; \ + static struct ftrace_branch_data \ +diff --git a/include/linux/devpts_fs.h b/include/linux/devpts_fs.h +index 251a2090a554..e0ee0b3000b2 100644 +--- a/include/linux/devpts_fs.h ++++ b/include/linux/devpts_fs.h +@@ -19,6 +19,8 @@ + + int devpts_new_index(struct inode *ptmx_inode); + void devpts_kill_index(struct inode *ptmx_inode, int idx); ++void devpts_add_ref(struct inode *ptmx_inode); ++void devpts_del_ref(struct inode *ptmx_inode); + /* mknod in devpts */ + struct inode *devpts_pty_new(struct inode *ptmx_inode, dev_t device, int index, + void *priv); +@@ -32,6 +34,8 @@ void devpts_pty_kill(struct inode *inode); + /* Dummy stubs in the no-pty case */ + static inline int devpts_new_index(struct inode *ptmx_inode) { return -EINVAL; } + static inline void devpts_kill_index(struct inode *ptmx_inode, int idx) { } ++static inline void devpts_add_ref(struct inode *ptmx_inode) { } ++static inline void devpts_del_ref(struct inode *ptmx_inode) { } + static inline struct inode *devpts_pty_new(struct inode *ptmx_inode, + dev_t device, int index, void *priv) + { +diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h +index cc79eff4a1ad..608d90444b6f 100644 +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer); + #define PTRACE_MODE_READ 0x01 + #define PTRACE_MODE_ATTACH 0x02 + #define PTRACE_MODE_NOAUDIT 0x04 +-/* Returns true on success, false on denial. */ ++#define PTRACE_MODE_FSCREDS 0x08 ++#define PTRACE_MODE_REALCREDS 0x10 ++ ++/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ ++#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) ++#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) ++#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) ++#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) ++ ++/** ++ * ptrace_may_access - check whether the caller is permitted to access ++ * a target task. ++ * @task: target task ++ * @mode: selects type of access and caller credentials ++ * ++ * Returns true on success, false on denial. ++ * ++ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must ++ * be set in @mode to specify whether the access was requested through ++ * a filesystem syscall (should use effective capabilities and fsuid ++ * of the caller) or through an explicit syscall such as ++ * process_vm_writev or ptrace (and should use the real credentials). ++ */ + extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); + + static inline int ptrace_reparented(struct task_struct *child) +diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h +index e8be53ecfc45..16604454e95f 100644 +--- a/include/linux/radix-tree.h ++++ b/include/linux/radix-tree.h +@@ -320,12 +320,28 @@ void **radix_tree_next_chunk(struct radix_tree_root *root, + struct radix_tree_iter *iter, unsigned flags); + + /** ++ * radix_tree_iter_retry - retry this chunk of the iteration ++ * @iter: iterator state ++ * ++ * If we iterate over a tree protected only by the RCU lock, a race ++ * against deletion or creation may result in seeing a slot for which ++ * radix_tree_deref_retry() returns true. If so, call this function ++ * and continue the iteration. ++ */ ++static inline __must_check ++void **radix_tree_iter_retry(struct radix_tree_iter *iter) ++{ ++ iter->next_index = iter->index; ++ return NULL; ++} ++ ++/** + * radix_tree_chunk_size - get current chunk size + * + * @iter: pointer to radix tree iterator + * Returns: current chunk size + */ +-static __always_inline unsigned ++static __always_inline long + radix_tree_chunk_size(struct radix_tree_iter *iter) + { + return iter->next_index - iter->index; +@@ -359,9 +375,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags) + return slot + offset + 1; + } + } else { +- unsigned size = radix_tree_chunk_size(iter) - 1; ++ long size = radix_tree_chunk_size(iter); + +- while (size--) { ++ while (--size > 0) { + slot++; + iter->index++; + if (likely(*slot)) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 3bf20e36a8e7..bfd91336e888 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -3096,7 +3096,7 @@ find_lively_task_by_vpid(pid_t vpid) + + /* Reuse ptrace permission checks for now. */ + err = -EACCES; +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) + goto errout; + + return task; +@@ -5945,6 +5945,10 @@ static int perf_tp_filter_match(struct perf_event *event, + { + void *record = data->raw->data; + ++ /* only top level events have filters set */ ++ if (event->parent) ++ event = event->parent; ++ + if (likely(!event->filter) || filter_match_preds(event->filter, record)) + return 1; + return 0; +diff --git a/kernel/futex.c b/kernel/futex.c +index fda2950f2ce4..b125c385a257 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2648,6 +2648,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, + if (q.pi_state && (q.pi_state->owner != current)) { + spin_lock(q.lock_ptr); + ret = fixup_pi_state_owner(uaddr2, &q, current); ++ /* ++ * Drop the reference to the pi state which ++ * the requeue_pi() code acquired for us. ++ */ ++ free_pi_state(q.pi_state); + spin_unlock(q.lock_ptr); + } + } else { +@@ -2774,7 +2779,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, + } + + ret = -EPERM; +- if (!ptrace_may_access(p, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) + goto err_unlock; + + head = p->robust_list; +diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c +index f9f44fd4d34d..3888617a1f9e 100644 +--- a/kernel/futex_compat.c ++++ b/kernel/futex_compat.c +@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, + } + + ret = -EPERM; +- if (!ptrace_may_access(p, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) + goto err_unlock; + + head = p->compat_robust_list; +diff --git a/kernel/kcmp.c b/kernel/kcmp.c +index 0aa69ea1d8fd..3a47fa998fe0 100644 +--- a/kernel/kcmp.c ++++ b/kernel/kcmp.c +@@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, + &task2->signal->cred_guard_mutex); + if (ret) + goto err; +- if (!ptrace_may_access(task1, PTRACE_MODE_READ) || +- !ptrace_may_access(task2, PTRACE_MODE_READ)) { ++ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) || ++ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) { + ret = -EPERM; + goto err_unlock; + } +diff --git a/kernel/module.c b/kernel/module.c +index 49f17c27bf11..e40617fac8ad 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3381,6 +3381,11 @@ static inline int is_arm_mapping_symbol(const char *str) + && (str[2] == '\0' || str[2] == '.'); + } + ++static const char *symname(struct module *mod, unsigned int symnum) ++{ ++ return mod->strtab + mod->symtab[symnum].st_name; ++} ++ + static const char *get_ksymbol(struct module *mod, + unsigned long addr, + unsigned long *size, +@@ -3403,15 +3408,15 @@ static const char *get_ksymbol(struct module *mod, + + /* We ignore unnamed symbols: they're uninformative + * and inserted at a whim. */ ++ if (*symname(mod, i) == '\0' ++ || is_arm_mapping_symbol(symname(mod, i))) ++ continue; ++ + if (mod->symtab[i].st_value <= addr +- && mod->symtab[i].st_value > mod->symtab[best].st_value +- && *(mod->strtab + mod->symtab[i].st_name) != '\0' +- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) ++ && mod->symtab[i].st_value > mod->symtab[best].st_value) + best = i; + if (mod->symtab[i].st_value > addr +- && mod->symtab[i].st_value < nextval +- && *(mod->strtab + mod->symtab[i].st_name) != '\0' +- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) ++ && mod->symtab[i].st_value < nextval) + nextval = mod->symtab[i].st_value; + } + +@@ -3422,7 +3427,7 @@ static const char *get_ksymbol(struct module *mod, + *size = nextval - mod->symtab[best].st_value; + if (offset) + *offset = addr - mod->symtab[best].st_value; +- return mod->strtab + mod->symtab[best].st_name; ++ return symname(mod, best); + } + + /* For kallsyms to ask for address resolution. NULL means not found. Careful +@@ -3523,8 +3528,7 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, + if (symnum < mod->num_symtab) { + *value = mod->symtab[symnum].st_value; + *type = mod->symtab[symnum].st_info; +- strlcpy(name, mod->strtab + mod->symtab[symnum].st_name, +- KSYM_NAME_LEN); ++ strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); + strlcpy(module_name, mod->name, MODULE_NAME_LEN); + *exported = is_exported(name, *value, mod); + preempt_enable(); +@@ -3541,7 +3545,7 @@ static unsigned long mod_find_symname(struct module *mod, const char *name) + unsigned int i; + + for (i = 0; i < mod->num_symtab; i++) +- if (strcmp(name, mod->strtab+mod->symtab[i].st_name) == 0 && ++ if (strcmp(name, symname(mod, i)) == 0 && + mod->symtab[i].st_info != 'U') + return mod->symtab[i].st_value; + return 0; +@@ -3583,7 +3587,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, + if (mod->state == MODULE_STATE_UNFORMED) + continue; + for (i = 0; i < mod->num_symtab; i++) { +- ret = fn(data, mod->strtab + mod->symtab[i].st_name, ++ ret = fn(data, symname(mod, i), + mod, mod->symtab[i].st_value); + if (ret != 0) + return ret; +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index be9760f8284a..4524314ecbb4 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; ++ int dumpable = 0; ++ kuid_t caller_uid; ++ kgid_t caller_gid; ++ ++ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { ++ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); ++ return -EPERM; ++ } + + /* May we inspect the given task? + * This check is used both for attaching with ptrace +@@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + * because setting up the necessary parent/child relationship + * or halting the specified task is impossible. + */ +- int dumpable = 0; ++ + /* Don't let security modules deny introspection */ + if (same_thread_group(task, current)) + return 0; + rcu_read_lock(); ++ if (mode & PTRACE_MODE_FSCREDS) { ++ caller_uid = cred->fsuid; ++ caller_gid = cred->fsgid; ++ } else { ++ /* ++ * Using the euid would make more sense here, but something ++ * in userland might rely on the old behavior, and this ++ * shouldn't be a security problem since ++ * PTRACE_MODE_REALCREDS implies that the caller explicitly ++ * used a syscall that requests access to another process ++ * (and not a filesystem syscall to procfs). ++ */ ++ caller_uid = cred->uid; ++ caller_gid = cred->gid; ++ } + tcred = __task_cred(task); +- if (uid_eq(cred->uid, tcred->euid) && +- uid_eq(cred->uid, tcred->suid) && +- uid_eq(cred->uid, tcred->uid) && +- gid_eq(cred->gid, tcred->egid) && +- gid_eq(cred->gid, tcred->sgid) && +- gid_eq(cred->gid, tcred->gid)) ++ if (uid_eq(caller_uid, tcred->euid) && ++ uid_eq(caller_uid, tcred->suid) && ++ uid_eq(caller_uid, tcred->uid) && ++ gid_eq(caller_gid, tcred->egid) && ++ gid_eq(caller_gid, tcred->sgid) && ++ gid_eq(caller_gid, tcred->gid)) + goto ok; + if (ptrace_has_cap(tcred->user_ns, mode)) + goto ok; +@@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request, + goto out; + + task_lock(task); +- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH); ++ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); + task_unlock(task); + if (retval) + goto unlock_creds; +diff --git a/lib/dma-debug.c b/lib/dma-debug.c +index 98f2d7e91a91..1cbfc16d0b37 100644 +--- a/lib/dma-debug.c ++++ b/lib/dma-debug.c +@@ -1165,7 +1165,7 @@ static inline bool overlap(void *addr, unsigned long len, void *start, void *end + + static void check_for_illegal_area(struct device *dev, void *addr, unsigned long len) + { +- if (overlap(addr, len, _text, _etext) || ++ if (overlap(addr, len, _stext, _etext) || + overlap(addr, len, __start_rodata, __end_rodata)) + err_printk(dev, NULL, "DMA-API: device driver maps memory from kernel text or rodata [addr=%p] [len=%lu]\n", addr, len); + } +@@ -1440,7 +1440,7 @@ void debug_dma_alloc_coherent(struct device *dev, size_t size, + entry->type = dma_debug_coherent; + entry->dev = dev; + entry->pfn = page_to_pfn(virt_to_page(virt)); +- entry->offset = (size_t) virt & PAGE_MASK; ++ entry->offset = (size_t) virt & ~PAGE_MASK; + entry->size = size; + entry->dev_addr = dma_addr; + entry->direction = DMA_BIDIRECTIONAL; +@@ -1456,7 +1456,7 @@ void debug_dma_free_coherent(struct device *dev, size_t size, + .type = dma_debug_coherent, + .dev = dev, + .pfn = page_to_pfn(virt_to_page(virt)), +- .offset = (size_t) virt & PAGE_MASK, ++ .offset = (size_t) virt & ~PAGE_MASK, + .dev_addr = addr, + .size = size, + .direction = DMA_BIDIRECTIONAL, +diff --git a/lib/dump_stack.c b/lib/dump_stack.c +index f23b63f0a1c3..1e21b4682666 100644 +--- a/lib/dump_stack.c ++++ b/lib/dump_stack.c +@@ -25,6 +25,7 @@ static atomic_t dump_lock = ATOMIC_INIT(-1); + + asmlinkage void dump_stack(void) + { ++ unsigned long flags; + int was_locked; + int old; + int cpu; +@@ -33,9 +34,8 @@ asmlinkage void dump_stack(void) + * Permit this cpu to perform nested stack dumps while serialising + * against other CPUs + */ +- preempt_disable(); +- + retry: ++ local_irq_save(flags); + cpu = smp_processor_id(); + old = atomic_cmpxchg(&dump_lock, -1, cpu); + if (old == -1) { +@@ -43,6 +43,7 @@ retry: + } else if (old == cpu) { + was_locked = 1; + } else { ++ local_irq_restore(flags); + cpu_relax(); + goto retry; + } +@@ -52,7 +53,7 @@ retry: + if (!was_locked) + atomic_set(&dump_lock, -1); + +- preempt_enable(); ++ local_irq_restore(flags); + } + #else + asmlinkage void dump_stack(void) +diff --git a/lib/klist.c b/lib/klist.c +index 358a368a2947..2e59aecbec0d 100644 +--- a/lib/klist.c ++++ b/lib/klist.c +@@ -282,9 +282,9 @@ void klist_iter_init_node(struct klist *k, struct klist_iter *i, + struct klist_node *n) + { + i->i_klist = k; +- i->i_cur = n; +- if (n) +- kref_get(&n->n_ref); ++ i->i_cur = NULL; ++ if (n && kref_get_unless_zero(&n->n_ref)) ++ i->i_cur = n; + } + EXPORT_SYMBOL_GPL(klist_iter_init_node); + +diff --git a/lib/radix-tree.c b/lib/radix-tree.c +index 7e30d2a7f346..7fdc4121e44c 100644 +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -977,9 +977,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results, + return 0; + + radix_tree_for_each_slot(slot, root, &iter, first_index) { +- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); ++ results[ret] = rcu_dereference_raw(*slot); + if (!results[ret]) + continue; ++ if (radix_tree_is_indirect_ptr(results[ret])) { ++ slot = radix_tree_iter_retry(&iter); ++ continue; ++ } + if (++ret == max_items) + break; + } +@@ -1056,9 +1060,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results, + return 0; + + radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) { +- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); ++ results[ret] = rcu_dereference_raw(*slot); + if (!results[ret]) + continue; ++ if (radix_tree_is_indirect_ptr(results[ret])) { ++ slot = radix_tree_iter_retry(&iter); ++ continue; ++ } + if (++ret == max_items) + break; + } +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index b58d4fbe6c48..51d7cc8bb5f1 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5858,16 +5858,17 @@ static void __mem_cgroup_usage_unregister_event(struct mem_cgroup *memcg, + swap_buffers: + /* Swap primary and spare array */ + thresholds->spare = thresholds->primary; +- /* If all events are unregistered, free the spare array */ +- if (!new) { +- kfree(thresholds->spare); +- thresholds->spare = NULL; +- } + + rcu_assign_pointer(thresholds->primary, new); + + /* To be sure that nobody uses thresholds */ + synchronize_rcu(); ++ ++ /* If all events are unregistered, free the spare array */ ++ if (!new) { ++ kfree(thresholds->spare); ++ thresholds->spare = NULL; ++ } + unlock: + mutex_unlock(&memcg->thresholds_lock); + } +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 42aeb848b8e9..580dbc22ef74 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1509,7 +1509,7 @@ static int get_any_page(struct page *page, unsigned long pfn, int flags) + * Did it turn free? + */ + ret = __get_any_page(page, pfn, 0); +- if (!PageLRU(page)) { ++ if (ret == 1 && !PageLRU(page)) { + /* Drop page reference which is from __get_any_page() */ + put_page(page); + pr_info("soft_offline: %#lx: unknown non LRU page type %lx\n", +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 5bba3b35bec8..35e14c784bef 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1220,23 +1220,30 @@ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) + */ + static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn) + { +- unsigned long pfn; ++ unsigned long pfn, sec_end_pfn; + struct zone *zone = NULL; + struct page *page; + int i; +- for (pfn = start_pfn; ++ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn); + pfn < end_pfn; +- pfn += MAX_ORDER_NR_PAGES) { +- i = 0; +- /* This is just a CONFIG_HOLES_IN_ZONE check.*/ +- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i)) +- i++; +- if (i == MAX_ORDER_NR_PAGES) ++ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) { ++ /* Make sure the memory section is present first */ ++ if (!present_section_nr(pfn_to_section_nr(pfn))) + continue; +- page = pfn_to_page(pfn + i); +- if (zone && page_zone(page) != zone) +- return 0; +- zone = page_zone(page); ++ for (; pfn < sec_end_pfn && pfn < end_pfn; ++ pfn += MAX_ORDER_NR_PAGES) { ++ i = 0; ++ /* This is just a CONFIG_HOLES_IN_ZONE check.*/ ++ while ((i < MAX_ORDER_NR_PAGES) && ++ !pfn_valid_within(pfn + i)) ++ i++; ++ if (i == MAX_ORDER_NR_PAGES) ++ continue; ++ page = pfn_to_page(pfn + i); ++ if (zone && page_zone(page) != zone) ++ return 0; ++ zone = page_zone(page); ++ } + } + return 1; + } +diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c +index fd26d0433509..e739825be8b3 100644 +--- a/mm/process_vm_access.c ++++ b/mm/process_vm_access.c +@@ -298,7 +298,7 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec, + goto free_proc_pages; + } + +- mm = mm_access(task, PTRACE_MODE_ATTACH); ++ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS); + if (!mm || IS_ERR(mm)) { + rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; + /* +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 9ad561152eb6..8b61288e5746 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -336,7 +336,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id) + + static void ip6mr_free_table(struct mr6_table *mrt) + { +- del_timer(&mrt->ipmr_expire_timer); ++ del_timer_sync(&mrt->ipmr_expire_timer); + mroute_clean_tables(mrt, true); + kfree(mrt); + } +diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter +index 549d0ab8c662..dabd2a4cb4e5 100755 +--- a/scripts/bloat-o-meter ++++ b/scripts/bloat-o-meter +@@ -56,8 +56,8 @@ for name in common: + delta.sort() + delta.reverse() + +-print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ +- (add, remove, grow, shrink, up, -down, up-down) +-print "%-40s %7s %7s %+7s" % ("function", "old", "new", "delta") ++print("add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ ++ (add, remove, grow, shrink, up, -down, up-down)) ++print("%-40s %7s %7s %+7s" % ("function", "old", "new", "delta")) + for d, n in delta: +- if d: print "%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d) ++ if d: print("%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d)) +diff --git a/security/commoncap.c b/security/commoncap.c +index 963dc5981661..a484506445d7 100644 +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -142,12 +142,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) + { + int ret = 0; + const struct cred *cred, *child_cred; ++ const kernel_cap_t *caller_caps; + + rcu_read_lock(); + cred = current_cred(); + child_cred = __task_cred(child); ++ if (mode & PTRACE_MODE_FSCREDS) ++ caller_caps = &cred->cap_effective; ++ else ++ caller_caps = &cred->cap_permitted; + if (cred->user_ns == child_cred->user_ns && +- cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) ++ cap_issubset(child_cred->cap_permitted, *caller_caps)) + goto out; + if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) + goto out; +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index 67c91d226552..ee0522a8f730 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -540,19 +540,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client, + bool is_src, bool ack) + { + struct snd_seq_port_subs_info *grp; ++ struct list_head *list; ++ bool empty; + + grp = is_src ? &port->c_src : &port->c_dest; ++ list = is_src ? &subs->src_list : &subs->dest_list; + down_write(&grp->list_mutex); + write_lock_irq(&grp->list_lock); +- if (is_src) +- list_del(&subs->src_list); +- else +- list_del(&subs->dest_list); ++ empty = list_empty(list); ++ if (!empty) ++ list_del_init(list); + grp->exclusive = 0; + write_unlock_irq(&grp->list_lock); + up_write(&grp->list_mutex); + +- unsubscribe_port(client, port, grp, &subs->info, ack); ++ if (!empty) ++ unsubscribe_port(client, port, grp, &subs->info, ack); + } + + /* connect two ports */ +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 30e8e0c3f117..56b8a3e00522 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -4249,13 +4249,12 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event + sizeof(long) != 8) { + char *p; + +- ls = 2; + /* make %l into %ll */ +- p = strchr(format, 'l'); +- if (p) ++ if (ls == 1 && (p = strchr(format, 'l'))) + memmove(p+1, p, strlen(p)+1); + else if (strcmp(format, "%p") == 0) + strcpy(format, "0x%llx"); ++ ls = 2; + } + switch (ls) { + case -2: +diff --git a/tools/perf/Documentation/perf-trace.txt b/tools/perf/Documentation/perf-trace.txt +index fae38d9a44a4..65d6a7a88c53 100644 +--- a/tools/perf/Documentation/perf-trace.txt ++++ b/tools/perf/Documentation/perf-trace.txt +@@ -59,7 +59,6 @@ OPTIONS + --verbose=:: + Verbosity level. + +--i:: + --no-inherit:: + Child tasks do not inherit counters. + diff --git a/patch/kernel/cubox-dev/patch-3.14.62-63.patch b/patch/kernel/cubox-dev/patch-3.14.62-63.patch new file mode 100644 index 000000000..5dcb8ea0c --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.62-63.patch @@ -0,0 +1,4346 @@ +diff --git a/Makefile b/Makefile +index b738f644c71e..0843ef4cc0a4 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 62 ++SUBLEVEL = 63 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c +index e550b117ec4f..2d6a36ea8aaf 100644 +--- a/arch/arc/kernel/unwind.c ++++ b/arch/arc/kernel/unwind.c +@@ -986,42 +986,13 @@ int arc_unwind(struct unwind_frame_info *frame) + (const u8 *)(fde + + 1) + + *fde, ptrType); +- if (pc >= endLoc) ++ if (pc >= endLoc) { + fde = NULL; +- } else +- fde = NULL; +- } +- if (fde == NULL) { +- for (fde = table->address, tableSize = table->size; +- cie = NULL, tableSize > sizeof(*fde) +- && tableSize - sizeof(*fde) >= *fde; +- tableSize -= sizeof(*fde) + *fde, +- fde += 1 + *fde / sizeof(*fde)) { +- cie = cie_for_fde(fde, table); +- if (cie == &bad_cie) { + cie = NULL; +- break; + } +- if (cie == NULL +- || cie == ¬_fde +- || (ptrType = fde_pointer_type(cie)) < 0) +- continue; +- ptr = (const u8 *)(fde + 2); +- startLoc = read_pointer(&ptr, +- (const u8 *)(fde + 1) + +- *fde, ptrType); +- if (!startLoc) +- continue; +- if (!(ptrType & DW_EH_PE_indirect)) +- ptrType &= +- DW_EH_PE_FORM | DW_EH_PE_signed; +- endLoc = +- startLoc + read_pointer(&ptr, +- (const u8 *)(fde + +- 1) + +- *fde, ptrType); +- if (pc >= startLoc && pc < endLoc) +- break; ++ } else { ++ fde = NULL; ++ cie = NULL; + } + } + } +diff --git a/arch/arm/boot/dts/wm8650.dtsi b/arch/arm/boot/dts/wm8650.dtsi +index 7525982262ac..2897c1ac47d8 100644 +--- a/arch/arm/boot/dts/wm8650.dtsi ++++ b/arch/arm/boot/dts/wm8650.dtsi +@@ -187,6 +187,15 @@ + interrupts = <43>; + }; + ++ sdhc@d800a000 { ++ compatible = "wm,wm8505-sdhc"; ++ reg = <0xd800a000 0x400>; ++ interrupts = <20>, <21>; ++ clocks = <&clksdhc>; ++ bus-width = <4>; ++ sdon-inverted; ++ }; ++ + fb: fb@d8050800 { + compatible = "wm,wm8505-fb"; + reg = <0xd8050800 0x200>; +diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S +index 03a2db58b22d..ba5ce99c021d 100644 +--- a/arch/mips/kvm/kvm_locore.S ++++ b/arch/mips/kvm/kvm_locore.S +@@ -159,9 +159,11 @@ FEXPORT(__kvm_mips_vcpu_run) + + FEXPORT(__kvm_mips_load_asid) + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +@@ -438,9 +440,11 @@ __kvm_mips_return_to_guest: + mtc0 t0, CP0_EPC + + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c +index 897c605263f2..12d850b68763 100644 +--- a/arch/mips/kvm/kvm_mips.c ++++ b/arch/mips/kvm/kvm_mips.c +@@ -313,7 +313,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + + if (!gebase) { + err = -ENOMEM; +- goto out_free_cpu; ++ goto out_uninit_cpu; + } + kvm_info("Allocated %d bytes for KVM Exception Handlers @ %p\n", + ALIGN(size, PAGE_SIZE), gebase); +@@ -373,6 +373,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + out_free_gebase: + kfree(gebase); + ++out_uninit_cpu: ++ kvm_vcpu_uninit(vcpu); ++ + out_free_cpu: + kfree(vcpu); + +diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c +index c76f297b7149..33085819cd89 100644 +--- a/arch/mips/kvm/kvm_mips_emul.c ++++ b/arch/mips/kvm/kvm_mips_emul.c +@@ -935,7 +935,7 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, + + base = (inst >> 21) & 0x1f; + op_inst = (inst >> 16) & 0x1f; +- offset = inst & 0xffff; ++ offset = (int16_t)inst; + cache = (inst >> 16) & 0x3; + op = (inst >> 18) & 0x7; + +diff --git a/arch/s390/mm/extable.c b/arch/s390/mm/extable.c +index 4d1ee88864e8..18c8b819b0aa 100644 +--- a/arch/s390/mm/extable.c ++++ b/arch/s390/mm/extable.c +@@ -52,12 +52,16 @@ void sort_extable(struct exception_table_entry *start, + int i; + + /* Normalize entries to being relative to the start of the section */ +- for (p = start, i = 0; p < finish; p++, i += 8) ++ for (p = start, i = 0; p < finish; p++, i += 8) { + p->insn += i; ++ p->fixup += i + 4; ++ } + sort(start, finish - start, sizeof(*start), cmp_ex, NULL); + /* Denormalize all entries */ +- for (p = start, i = 0; p < finish; p++, i += 8) ++ for (p = start, i = 0; p < finish; p++, i += 8) { + p->insn -= i; ++ p->fixup -= i + 4; ++ } + } + + #ifdef CONFIG_MODULES +diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c +index 25db14a33d03..47ae8d757773 100644 +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -412,7 +412,7 @@ out: + + SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality) + { +- int ret; ++ long ret; + + if (personality(current->personality) == PER_LINUX32 && + personality(personality) == PER_LINUX) +diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c +index 337518c5042a..b412c62486f0 100644 +--- a/arch/um/os-Linux/start_up.c ++++ b/arch/um/os-Linux/start_up.c +@@ -95,6 +95,8 @@ static int start_ptraced_child(void) + { + int pid, n, status; + ++ fflush(stdout); ++ + pid = fork(); + if (pid == 0) + ptrace_child(); +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index ae7d543f23ed..8894f5bc4620 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -248,12 +248,19 @@ static efi_status_t __init phys_efi_set_virtual_address_map( + efi_memory_desc_t *virtual_map) + { + efi_status_t status; ++ unsigned long flags; + + efi_call_phys_prelog(); ++ ++ /* Disable interrupts around EFI calls: */ ++ local_irq_save(flags); + status = efi_call_phys4(efi_phys.set_virtual_address_map, + memory_map_size, descriptor_size, + descriptor_version, virtual_map); ++ local_irq_restore(flags); ++ + efi_call_phys_epilog(); ++ + return status; + } + +diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c +index 9ee3491e31fb..be4e7eb41674 100644 +--- a/arch/x86/platform/efi/efi_32.c ++++ b/arch/x86/platform/efi/efi_32.c +@@ -33,11 +33,10 @@ + + /* + * To make EFI call EFI runtime service in physical addressing mode we need +- * prelog/epilog before/after the invocation to disable interrupt, to +- * claim EFI runtime service handler exclusively and to duplicate a memory in +- * low memory space say 0 - 3G. ++ * prolog/epilog before/after the invocation to claim the EFI runtime service ++ * handler exclusively and to duplicate a memory mapping in low memory space, ++ * say 0 - 3G. + */ +-static unsigned long efi_rt_eflags; + + void efi_sync_low_kernel_mappings(void) {} + void __init efi_dump_pagetable(void) {} +@@ -59,8 +58,6 @@ void efi_call_phys_prelog(void) + { + struct desc_ptr gdt_descr; + +- local_irq_save(efi_rt_eflags); +- + load_cr3(initial_page_table); + __flush_tlb_all(); + +@@ -79,8 +76,6 @@ void efi_call_phys_epilog(void) + + load_cr3(swapper_pg_dir); + __flush_tlb_all(); +- +- local_irq_restore(efi_rt_eflags); + } + + void __init efi_runtime_mkexec(void) +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index 666b74a09092..b1be0425c686 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -41,7 +41,6 @@ + #include + + static pgd_t *save_pgd __initdata; +-static unsigned long efi_flags __initdata; + + /* + * We allocate runtime services regions bottom-up, starting from -4G, i.e. +@@ -87,7 +86,6 @@ void __init efi_call_phys_prelog(void) + return; + + early_code_mapping_set_exec(1); +- local_irq_save(efi_flags); + + n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE); + save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL); +@@ -115,7 +113,6 @@ void __init efi_call_phys_epilog(void) + set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); + kfree(save_pgd); + __flush_tlb_all(); +- local_irq_restore(efi_flags); + early_code_mapping_set_exec(0); + } + +diff --git a/block/partitions/mac.c b/block/partitions/mac.c +index 76d8ba6379a9..bd5b91465230 100644 +--- a/block/partitions/mac.c ++++ b/block/partitions/mac.c +@@ -32,7 +32,7 @@ int mac_partition(struct parsed_partitions *state) + Sector sect; + unsigned char *data; + int slot, blocks_in_map; +- unsigned secsize; ++ unsigned secsize, datasize, partoffset; + #ifdef CONFIG_PPC_PMAC + int found_root = 0; + int found_root_goodness = 0; +@@ -50,10 +50,14 @@ int mac_partition(struct parsed_partitions *state) + } + secsize = be16_to_cpu(md->block_size); + put_dev_sector(sect); +- data = read_part_sector(state, secsize/512, §); ++ datasize = round_down(secsize, 512); ++ data = read_part_sector(state, datasize / 512, §); + if (!data) + return -1; +- part = (struct mac_partition *) (data + secsize%512); ++ partoffset = secsize % 512; ++ if (partoffset + sizeof(*part) > datasize) ++ return -1; ++ part = (struct mac_partition *) (data + partoffset); + if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { + put_dev_sector(sect); + return 0; /* not a MacOS disk */ +diff --git a/crypto/async_tx/async_memcpy.c b/crypto/async_tx/async_memcpy.c +index f8c0b8dbeb75..88bc8e6b2a54 100644 +--- a/crypto/async_tx/async_memcpy.c ++++ b/crypto/async_tx/async_memcpy.c +@@ -53,7 +53,7 @@ async_memcpy(struct page *dest, struct page *src, unsigned int dest_offset, + struct dmaengine_unmap_data *unmap = NULL; + + if (device) +- unmap = dmaengine_get_unmap_data(device->dev, 2, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(device->dev, 2, GFP_NOWAIT); + + if (unmap && is_dma_copy_aligned(device, src_offset, dest_offset, len)) { + unsigned long dma_prep_flags = 0; +diff --git a/crypto/async_tx/async_pq.c b/crypto/async_tx/async_pq.c +index d05327caf69d..7eb264e65267 100644 +--- a/crypto/async_tx/async_pq.c ++++ b/crypto/async_tx/async_pq.c +@@ -176,7 +176,7 @@ async_gen_syndrome(struct page **blocks, unsigned int offset, int disks, + BUG_ON(disks > 255 || !(P(blocks, disks) || Q(blocks, disks))); + + if (device) +- unmap = dmaengine_get_unmap_data(device->dev, disks, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(device->dev, disks, GFP_NOWAIT); + + if (unmap && + (src_cnt <= dma_maxpq(device, 0) || +@@ -294,7 +294,7 @@ async_syndrome_val(struct page **blocks, unsigned int offset, int disks, + BUG_ON(disks < 4); + + if (device) +- unmap = dmaengine_get_unmap_data(device->dev, disks, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(device->dev, disks, GFP_NOWAIT); + + if (unmap && disks <= dma_maxpq(device, 0) && + is_dma_pq_aligned(device, offset, 0, len)) { +diff --git a/crypto/async_tx/async_raid6_recov.c b/crypto/async_tx/async_raid6_recov.c +index 934a84981495..8fab6275ea1f 100644 +--- a/crypto/async_tx/async_raid6_recov.c ++++ b/crypto/async_tx/async_raid6_recov.c +@@ -41,7 +41,7 @@ async_sum_product(struct page *dest, struct page **srcs, unsigned char *coef, + u8 *a, *b, *c; + + if (dma) +- unmap = dmaengine_get_unmap_data(dma->dev, 3, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(dma->dev, 3, GFP_NOWAIT); + + if (unmap) { + struct device *dev = dma->dev; +@@ -105,7 +105,7 @@ async_mult(struct page *dest, struct page *src, u8 coef, size_t len, + u8 *d, *s; + + if (dma) +- unmap = dmaengine_get_unmap_data(dma->dev, 3, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(dma->dev, 3, GFP_NOWAIT); + + if (unmap) { + dma_addr_t dma_dest[2]; +diff --git a/crypto/async_tx/async_xor.c b/crypto/async_tx/async_xor.c +index e1bce26cd4f9..da75777f2b3f 100644 +--- a/crypto/async_tx/async_xor.c ++++ b/crypto/async_tx/async_xor.c +@@ -182,7 +182,7 @@ async_xor(struct page *dest, struct page **src_list, unsigned int offset, + BUG_ON(src_cnt <= 1); + + if (device) +- unmap = dmaengine_get_unmap_data(device->dev, src_cnt+1, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(device->dev, src_cnt+1, GFP_NOWAIT); + + if (unmap && is_dma_xor_aligned(device, offset, 0, len)) { + struct dma_async_tx_descriptor *tx; +@@ -278,7 +278,7 @@ async_xor_val(struct page *dest, struct page **src_list, unsigned int offset, + BUG_ON(src_cnt <= 1); + + if (device) +- unmap = dmaengine_get_unmap_data(device->dev, src_cnt, GFP_NOIO); ++ unmap = dmaengine_get_unmap_data(device->dev, src_cnt, GFP_NOWAIT); + + if (unmap && src_cnt <= device->max_xor && + is_dma_xor_aligned(device, offset, 0, len)) { +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 136803c47cdb..96e5ed188636 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -997,12 +997,9 @@ static inline int ata_hsm_ok_in_wq(struct ata_port *ap, + static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) + { + struct ata_port *ap = qc->ap; +- unsigned long flags; + + if (ap->ops->error_handler) { + if (in_wq) { +- spin_lock_irqsave(ap->lock, flags); +- + /* EH might have kicked in while host lock is + * released. + */ +@@ -1014,8 +1011,6 @@ static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) + } else + ata_port_freeze(ap); + } +- +- spin_unlock_irqrestore(ap->lock, flags); + } else { + if (likely(!(qc->err_mask & AC_ERR_HSM))) + ata_qc_complete(qc); +@@ -1024,10 +1019,8 @@ static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) + } + } else { + if (in_wq) { +- spin_lock_irqsave(ap->lock, flags); + ata_sff_irq_on(ap); + ata_qc_complete(qc); +- spin_unlock_irqrestore(ap->lock, flags); + } else + ata_qc_complete(qc); + } +@@ -1048,9 +1041,10 @@ int ata_sff_hsm_move(struct ata_port *ap, struct ata_queued_cmd *qc, + { + struct ata_link *link = qc->dev->link; + struct ata_eh_info *ehi = &link->eh_info; +- unsigned long flags = 0; + int poll_next; + ++ lockdep_assert_held(ap->lock); ++ + WARN_ON_ONCE((qc->flags & ATA_QCFLAG_ACTIVE) == 0); + + /* Make sure ata_sff_qc_issue() does not throw things +@@ -1112,14 +1106,6 @@ fsm_start: + } + } + +- /* Send the CDB (atapi) or the first data block (ata pio out). +- * During the state transition, interrupt handler shouldn't +- * be invoked before the data transfer is complete and +- * hsm_task_state is changed. Hence, the following locking. +- */ +- if (in_wq) +- spin_lock_irqsave(ap->lock, flags); +- + if (qc->tf.protocol == ATA_PROT_PIO) { + /* PIO data out protocol. + * send first data block. +@@ -1135,9 +1121,6 @@ fsm_start: + /* send CDB */ + atapi_send_cdb(ap, qc); + +- if (in_wq) +- spin_unlock_irqrestore(ap->lock, flags); +- + /* if polling, ata_sff_pio_task() handles the rest. + * otherwise, interrupt handler takes over from here. + */ +@@ -1361,12 +1344,14 @@ static void ata_sff_pio_task(struct work_struct *work) + u8 status; + int poll_next; + ++ spin_lock_irq(ap->lock); ++ + BUG_ON(ap->sff_pio_task_link == NULL); + /* qc can be NULL if timeout occurred */ + qc = ata_qc_from_tag(ap, link->active_tag); + if (!qc) { + ap->sff_pio_task_link = NULL; +- return; ++ goto out_unlock; + } + + fsm_start: +@@ -1381,11 +1366,14 @@ fsm_start: + */ + status = ata_sff_busy_wait(ap, ATA_BUSY, 5); + if (status & ATA_BUSY) { ++ spin_unlock_irq(ap->lock); + ata_msleep(ap, 2); ++ spin_lock_irq(ap->lock); ++ + status = ata_sff_busy_wait(ap, ATA_BUSY, 10); + if (status & ATA_BUSY) { + ata_sff_queue_pio_task(link, ATA_SHORT_PAUSE); +- return; ++ goto out_unlock; + } + } + +@@ -1402,6 +1390,8 @@ fsm_start: + */ + if (poll_next) + goto fsm_start; ++out_unlock: ++ spin_unlock_irq(ap->lock); + } + + /** +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c +index b7695e804635..fa94fba8fa21 100644 +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_device *dev) + unsigned int n, quirks = 0; + unsigned char model_num[ATA_ID_PROD_LEN + 1]; + ++ /* This controller doesn't support trim */ ++ dev->horkage |= ATA_HORKAGE_NOTRIM; ++ + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); + + for (n = 0; sil_blacklist[n].product; n++) +diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/vt8500_timer.c +index 1098ed3b9b89..dc45ddb36117 100644 +--- a/drivers/clocksource/vt8500_timer.c ++++ b/drivers/clocksource/vt8500_timer.c +@@ -50,6 +50,8 @@ + + #define msecs_to_loops(t) (loops_per_jiffy / 1000 * HZ * t) + ++#define MIN_OSCR_DELTA 16 ++ + static void __iomem *regbase; + + static cycle_t vt8500_timer_read(struct clocksource *cs) +@@ -80,7 +82,7 @@ static int vt8500_timer_set_next_event(unsigned long cycles, + cpu_relax(); + writel((unsigned long)alarm, regbase + TIMER_MATCH_VAL); + +- if ((signed)(alarm - clocksource.read(&clocksource)) <= 16) ++ if ((signed)(alarm - clocksource.read(&clocksource)) <= MIN_OSCR_DELTA) + return -ETIME; + + writel(1, regbase + TIMER_IER_VAL); +@@ -160,7 +162,7 @@ static void __init vt8500_timer_init(struct device_node *np) + pr_err("%s: setup_irq failed for %s\n", __func__, + clockevent.name); + clockevents_config_and_register(&clockevent, VT8500_TIMER_HZ, +- 4, 0xf0000000); ++ MIN_OSCR_DELTA * 2, 0xf0000000); + } + + CLOCKSOURCE_OF_DECLARE(vt8500, "via,vt8500-timer", vt8500_timer_init); +diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c +index 3ae48ee2f488..df79cb0bf04e 100644 +--- a/drivers/dma/dw/core.c ++++ b/drivers/dma/dw/core.c +@@ -176,7 +176,7 @@ static void dwc_initialize(struct dw_dma_chan *dwc) + + /*----------------------------------------------------------------------*/ + +-static inline unsigned int dwc_fast_fls(unsigned long long v) ++static inline unsigned int dwc_fast_ffs(unsigned long long v) + { + /* + * We can be a lot more clever here, but this should take care +@@ -720,7 +720,7 @@ dwc_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dest, dma_addr_t src, + dw->data_width[dwc->dst_master]); + + src_width = dst_width = min_t(unsigned int, data_width, +- dwc_fast_fls(src | dest | len)); ++ dwc_fast_ffs(src | dest | len)); + + ctllo = DWC_DEFAULT_CTLLO(chan) + | DWC_CTLL_DST_WIDTH(dst_width) +@@ -799,7 +799,7 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + + switch (direction) { + case DMA_MEM_TO_DEV: +- reg_width = __fls(sconfig->dst_addr_width); ++ reg_width = __ffs(sconfig->dst_addr_width); + reg = sconfig->dst_addr; + ctllo = (DWC_DEFAULT_CTLLO(chan) + | DWC_CTLL_DST_WIDTH(reg_width) +@@ -819,7 +819,7 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + len = sg_dma_len(sg); + + mem_width = min_t(unsigned int, +- data_width, dwc_fast_fls(mem | len)); ++ data_width, dwc_fast_ffs(mem | len)); + + slave_sg_todev_fill_desc: + desc = dwc_desc_get(dwc); +@@ -859,7 +859,7 @@ slave_sg_todev_fill_desc: + } + break; + case DMA_DEV_TO_MEM: +- reg_width = __fls(sconfig->src_addr_width); ++ reg_width = __ffs(sconfig->src_addr_width); + reg = sconfig->src_addr; + ctllo = (DWC_DEFAULT_CTLLO(chan) + | DWC_CTLL_SRC_WIDTH(reg_width) +@@ -879,7 +879,7 @@ slave_sg_todev_fill_desc: + len = sg_dma_len(sg); + + mem_width = min_t(unsigned int, +- data_width, dwc_fast_fls(mem | len)); ++ data_width, dwc_fast_ffs(mem | len)); + + slave_sg_fromdev_fill_desc: + desc = dwc_desc_get(dwc); +diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c +index 592af5f0cf39..53587377e672 100644 +--- a/drivers/edac/edac_device.c ++++ b/drivers/edac/edac_device.c +@@ -435,16 +435,13 @@ void edac_device_workq_setup(struct edac_device_ctl_info *edac_dev, + */ + void edac_device_workq_teardown(struct edac_device_ctl_info *edac_dev) + { +- int status; +- + if (!edac_dev->edac_check) + return; + +- status = cancel_delayed_work(&edac_dev->work); +- if (status == 0) { +- /* workq instance might be running, wait for it */ +- flush_workqueue(edac_workqueue); +- } ++ edac_dev->op_state = OP_OFFLINE; ++ ++ cancel_delayed_work_sync(&edac_dev->work); ++ flush_workqueue(edac_workqueue); + } + + /* +diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c +index 33edd6766344..19dc0bc9b136 100644 +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -584,18 +584,10 @@ static void edac_mc_workq_setup(struct mem_ctl_info *mci, unsigned msec, + */ + static void edac_mc_workq_teardown(struct mem_ctl_info *mci) + { +- int status; +- +- if (mci->op_state != OP_RUNNING_POLL) +- return; +- +- status = cancel_delayed_work(&mci->work); +- if (status == 0) { +- edac_dbg(0, "not canceled, flush the queue\n"); ++ mci->op_state = OP_OFFLINE; + +- /* workq instance might be running, wait for it */ +- flush_workqueue(edac_workqueue); +- } ++ cancel_delayed_work_sync(&mci->work); ++ flush_workqueue(edac_workqueue); + } + + /* +diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c +index 2cf44b4db80c..b4b38603b804 100644 +--- a/drivers/edac/edac_pci.c ++++ b/drivers/edac/edac_pci.c +@@ -274,13 +274,12 @@ static void edac_pci_workq_setup(struct edac_pci_ctl_info *pci, + */ + static void edac_pci_workq_teardown(struct edac_pci_ctl_info *pci) + { +- int status; +- + edac_dbg(0, "\n"); + +- status = cancel_delayed_work(&pci->work); +- if (status == 0) +- flush_workqueue(edac_workqueue); ++ pci->op_state = OP_OFFLINE; ++ ++ cancel_delayed_work_sync(&pci->work); ++ flush_workqueue(edac_workqueue); + } + + /* +diff --git a/drivers/gpu/drm/ast/ast_drv.h b/drivers/gpu/drm/ast/ast_drv.h +index 9833a1b1acc1..3fc122306f1f 100644 +--- a/drivers/gpu/drm/ast/ast_drv.h ++++ b/drivers/gpu/drm/ast/ast_drv.h +@@ -296,6 +296,7 @@ int ast_framebuffer_init(struct drm_device *dev, + int ast_fbdev_init(struct drm_device *dev); + void ast_fbdev_fini(struct drm_device *dev); + void ast_fbdev_set_suspend(struct drm_device *dev, int state); ++void ast_fbdev_set_base(struct ast_private *ast, unsigned long gpu_addr); + + struct ast_bo { + struct ttm_buffer_object bo; +diff --git a/drivers/gpu/drm/ast/ast_fb.c b/drivers/gpu/drm/ast/ast_fb.c +index a28640f47c27..b55b6b1c9fe2 100644 +--- a/drivers/gpu/drm/ast/ast_fb.c ++++ b/drivers/gpu/drm/ast/ast_fb.c +@@ -367,3 +367,10 @@ void ast_fbdev_set_suspend(struct drm_device *dev, int state) + + fb_set_suspend(ast->fbdev->helper.fbdev, state); + } ++ ++void ast_fbdev_set_base(struct ast_private *ast, unsigned long gpu_addr) ++{ ++ ast->fbdev->helper.fbdev->fix.smem_start = ++ ast->fbdev->helper.fbdev->apertures->ranges[0].base + gpu_addr; ++ ast->fbdev->helper.fbdev->fix.smem_len = ast->vram_size - gpu_addr; ++} +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index d830b38e54f6..c0f284230a39 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -312,6 +312,7 @@ int ast_driver_load(struct drm_device *dev, unsigned long flags) + dev->mode_config.min_height = 0; + dev->mode_config.preferred_depth = 24; + dev->mode_config.prefer_shadow = 1; ++ dev->mode_config.fb_base = pci_resource_start(ast->dev->pdev, 0); + + if (ast->chip == AST2100 || + ast->chip == AST2200 || +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index d2e56e95d886..cea916fa164b 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -509,6 +509,8 @@ static int ast_crtc_do_set_base(struct drm_crtc *crtc, + ret = ttm_bo_kmap(&bo->bo, 0, bo->bo.num_pages, &bo->kmap); + if (ret) + DRM_ERROR("failed to kmap fbcon\n"); ++ else ++ ast_fbdev_set_base(ast, gpu_addr); + } + ast_bo_unreserve(bo); + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 958b26dcac8a..0a9d1fd32994 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -8821,11 +8821,21 @@ connected_sink_compute_bpp(struct intel_connector * connector, + pipe_config->pipe_bpp = connector->base.display_info.bpc*3; + } + +- /* Clamp bpp to 8 on screens without EDID 1.4 */ +- if (connector->base.display_info.bpc == 0 && bpp > 24) { +- DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of 24\n", +- bpp); +- pipe_config->pipe_bpp = 24; ++ /* Clamp bpp to default limit on screens without EDID 1.4 */ ++ if (connector->base.display_info.bpc == 0) { ++ int type = connector->base.connector_type; ++ int clamp_bpp = 24; ++ ++ /* Fall back to 18 bpp when DP sink capability is unknown. */ ++ if (type == DRM_MODE_CONNECTOR_DisplayPort || ++ type == DRM_MODE_CONNECTOR_eDP) ++ clamp_bpp = 18; ++ ++ if (bpp > clamp_bpp) { ++ DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of %d\n", ++ bpp, clamp_bpp); ++ pipe_config->pipe_bpp = clamp_bpp; ++ } + } + } + +diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c +index 56a13a915155..0928c5e2bafd 100644 +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -168,7 +168,8 @@ static int qxl_process_single_command(struct qxl_device *qdev, + cmd->command_size)) + return -EFAULT; + +- reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, GFP_KERNEL); ++ reloc_info = kmalloc_array(cmd->relocs_num, ++ sizeof(struct qxl_reloc_info), GFP_KERNEL); + if (!reloc_info) + return -ENOMEM; + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 2fa3cf615a67..6a3b5f92219f 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -436,7 +436,9 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, + } + + /* Fujitsu D3003-S2 board lists DVI-I as DVI-D and VGA */ +- if (((dev->pdev->device == 0x9802) || (dev->pdev->device == 0x9806)) && ++ if (((dev->pdev->device == 0x9802) || ++ (dev->pdev->device == 0x9805) || ++ (dev->pdev->device == 0x9806)) && + (dev->pdev->subsystem_vendor == 0x1734) && + (dev->pdev->subsystem_device == 0x11bd)) { + if (*connector_type == DRM_MODE_CONNECTOR_VGA) { +@@ -447,14 +449,6 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, + } + } + +- /* Fujitsu D3003-S2 board lists DVI-I as DVI-I and VGA */ +- if ((dev->pdev->device == 0x9805) && +- (dev->pdev->subsystem_vendor == 0x1734) && +- (dev->pdev->subsystem_device == 0x11bd)) { +- if (*connector_type == DRM_MODE_CONNECTOR_VGA) +- return false; +- } +- + return true; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c +index f8b20e1c0820..614144d34aea 100644 +--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c +@@ -79,6 +79,11 @@ static void radeon_hotplug_work_func(struct work_struct *work) + struct drm_mode_config *mode_config = &dev->mode_config; + struct drm_connector *connector; + ++ /* we can race here at startup, some boards seem to trigger ++ * hotplug irqs when they shouldn't. */ ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + mutex_lock(&mode_config->mutex); + if (mode_config->num_connector) { + list_for_each_entry(connector, &mode_config->connector_list, head) +diff --git a/drivers/gpu/drm/radeon/radeon_pm.c b/drivers/gpu/drm/radeon/radeon_pm.c +index 0b00de55b2a4..9a559140e4a3 100644 +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -915,8 +915,6 @@ static void radeon_dpm_change_power_state_locked(struct radeon_device *rdev) + + /* update display watermarks based on new power state */ + radeon_bandwidth_update(rdev); +- /* update displays */ +- radeon_dpm_display_configuration_changed(rdev); + + rdev->pm.dpm.current_active_crtcs = rdev->pm.dpm.new_active_crtcs; + rdev->pm.dpm.current_active_crtc_count = rdev->pm.dpm.new_active_crtc_count; +@@ -936,6 +934,9 @@ static void radeon_dpm_change_power_state_locked(struct radeon_device *rdev) + + radeon_dpm_post_set_power_state(rdev); + ++ /* update displays */ ++ radeon_dpm_display_configuration_changed(rdev); ++ + if (rdev->asic->dpm.force_performance_level) { + if (rdev->pm.dpm.thermal_active) { + enum radeon_dpm_forced_level level = rdev->pm.dpm.forced_level; +@@ -1364,8 +1365,7 @@ int radeon_pm_late_init(struct radeon_device *rdev) + ret = device_create_file(rdev->dev, &dev_attr_power_method); + if (ret) + DRM_ERROR("failed to create device file for power method\n"); +- if (!ret) +- rdev->pm.sysfs_initialized = true; ++ rdev->pm.sysfs_initialized = true; + } + + mutex_lock(&rdev->pm.mutex); +diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c +index c0625805cdd7..a1d684266549 100644 +--- a/drivers/gpu/drm/radeon/radeon_sa.c ++++ b/drivers/gpu/drm/radeon/radeon_sa.c +@@ -349,8 +349,13 @@ int radeon_sa_bo_new(struct radeon_device *rdev, + /* see if we can skip over some allocations */ + } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); + ++ for (i = 0; i < RADEON_NUM_RINGS; ++i) ++ radeon_fence_ref(fences[i]); ++ + spin_unlock(&sa_manager->wq.lock); + r = radeon_fence_wait_any(rdev, fences, false); ++ for (i = 0; i < RADEON_NUM_RINGS; ++i) ++ radeon_fence_unref(&fences[i]); + spin_lock(&sa_manager->wq.lock); + /* if we have nothing to wait for block */ + if (r == -ENOENT && block) { +diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c +index 45a9a03efc06..2d50433b8c72 100644 +--- a/drivers/gpu/drm/radeon/radeon_ttm.c ++++ b/drivers/gpu/drm/radeon/radeon_ttm.c +@@ -623,7 +623,7 @@ static int radeon_ttm_tt_populate(struct ttm_tt *ttm) + 0, PAGE_SIZE, + PCI_DMA_BIDIRECTIONAL); + if (pci_dma_mapping_error(rdev->pdev, gtt->ttm.dma_address[i])) { +- while (--i) { ++ while (i--) { + pci_unmap_page(rdev->pdev, gtt->ttm.dma_address[i], + PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); + gtt->ttm.dma_address[i] = 0; +diff --git a/drivers/gpu/drm/radeon/rv770_dpm.c b/drivers/gpu/drm/radeon/rv770_dpm.c +index 8fcb932a3a55..aaefb10aa09e 100644 +--- a/drivers/gpu/drm/radeon/rv770_dpm.c ++++ b/drivers/gpu/drm/radeon/rv770_dpm.c +@@ -1415,7 +1415,7 @@ int rv770_resume_smc(struct radeon_device *rdev) + int rv770_set_sw_state(struct radeon_device *rdev) + { + if (rv770_send_msg_to_smc(rdev, PPSMC_MSG_SwitchToSwState) != PPSMC_Result_OK) +- return -EINVAL; ++ DRM_ERROR("rv770_set_sw_state failed\n"); + return 0; + } + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index 0771dcbf9ed0..7c48070cf9d8 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -25,6 +25,7 @@ + * + **************************************************************************/ + #include ++#include + + #include + #include "vmwgfx_drv.h" +@@ -1383,6 +1384,12 @@ static int vmw_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + static int __init vmwgfx_init(void) + { + int ret; ++ ++#ifdef CONFIG_VGA_CONSOLE ++ if (vgacon_text_force()) ++ return -EINVAL; ++#endif ++ + ret = drm_pci_init(&driver, &vmw_pci_driver); + if (ret) + DRM_ERROR("Failed initializing DRM.\n"); +diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c +index af0259708358..bbb554d586d4 100644 +--- a/drivers/gpu/vga/vgaarb.c ++++ b/drivers/gpu/vga/vgaarb.c +@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsigned int rsrc, int interruptible) + set_current_state(interruptible ? + TASK_INTERRUPTIBLE : + TASK_UNINTERRUPTIBLE); +- if (signal_pending(current)) { +- rc = -EINTR; ++ if (interruptible && signal_pending(current)) { ++ __set_current_state(TASK_RUNNING); ++ remove_wait_queue(&vga_wait_queue, &wait); ++ rc = -ERESTARTSYS; + break; + } + schedule(); +diff --git a/drivers/hwmon/ads1015.c b/drivers/hwmon/ads1015.c +index 126516414c11..44223f5d92d8 100644 +--- a/drivers/hwmon/ads1015.c ++++ b/drivers/hwmon/ads1015.c +@@ -126,7 +126,7 @@ static int ads1015_reg_to_mv(struct i2c_client *client, unsigned int channel, + struct ads1015_data *data = i2c_get_clientdata(client); + unsigned int pga = data->channel_data[channel].pga; + int fullscale = fullscale_table[pga]; +- const unsigned mask = data->id == ads1115 ? 0x7fff : 0x7ff0; ++ const int mask = data->id == ads1115 ? 0x7fff : 0x7ff0; + + return DIV_ROUND_CLOSEST(reg * fullscale, mask); + } +diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c +index 095bb046e2c8..875348699e6e 100644 +--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c ++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c +@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en + error = l2t_send(tdev, skb, l2e); + if (error < 0) + kfree_skb(skb); +- return error; ++ return error < 0 ? error : 0; + } + + int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) +@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) + error = cxgb3_ofld_send(tdev, skb); + if (error < 0) + kfree_skb(skb); +- return error; ++ return error < 0 ? error : 0; + } + + static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) +diff --git a/drivers/infiniband/hw/qib/qib_verbs_mcast.c b/drivers/infiniband/hw/qib/qib_verbs_mcast.c +index dabb697b1c2a..48ba1c3e945a 100644 +--- a/drivers/infiniband/hw/qib/qib_verbs_mcast.c ++++ b/drivers/infiniband/hw/qib/qib_verbs_mcast.c +@@ -286,15 +286,13 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) + struct qib_ibdev *dev = to_idev(ibqp->device); + struct qib_ibport *ibp = to_iport(ibqp->device, qp->port_num); + struct qib_mcast *mcast = NULL; +- struct qib_mcast_qp *p, *tmp; ++ struct qib_mcast_qp *p, *tmp, *delp = NULL; + struct rb_node *n; + int last = 0; + int ret; + +- if (ibqp->qp_num <= 1 || qp->state == IB_QPS_RESET) { +- ret = -EINVAL; +- goto bail; +- } ++ if (ibqp->qp_num <= 1 || qp->state == IB_QPS_RESET) ++ return -EINVAL; + + spin_lock_irq(&ibp->lock); + +@@ -303,8 +301,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) + while (1) { + if (n == NULL) { + spin_unlock_irq(&ibp->lock); +- ret = -EINVAL; +- goto bail; ++ return -EINVAL; + } + + mcast = rb_entry(n, struct qib_mcast, rb_node); +@@ -328,6 +325,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) + */ + list_del_rcu(&p->list); + mcast->n_attached--; ++ delp = p; + + /* If this was the last attached QP, remove the GID too. */ + if (list_empty(&mcast->qp_list)) { +@@ -338,15 +336,16 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) + } + + spin_unlock_irq(&ibp->lock); ++ /* QP not attached */ ++ if (!delp) ++ return -EINVAL; ++ /* ++ * Wait for any list walkers to finish before freeing the ++ * list element. ++ */ ++ wait_event(mcast->wait, atomic_read(&mcast->refcount) <= 1); ++ qib_mcast_qp_free(delp); + +- if (p) { +- /* +- * Wait for any list walkers to finish before freeing the +- * list element. +- */ +- wait_event(mcast->wait, atomic_read(&mcast->refcount) <= 1); +- qib_mcast_qp_free(p); +- } + if (last) { + atomic_dec(&mcast->refcount); + wait_event(mcast->wait, !atomic_read(&mcast->refcount)); +@@ -355,11 +354,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) + dev->n_mcast_grps_allocated--; + spin_unlock_irq(&dev->n_mcast_grps_lock); + } +- +- ret = 0; +- +-bail: +- return ret; ++ return 0; + } + + int qib_mcast_tree_empty(struct qib_ibport *ibp) +diff --git a/drivers/irqchip/irq-versatile-fpga.c b/drivers/irqchip/irq-versatile-fpga.c +index 3ae2bb8d9cf2..21a44b168d46 100644 +--- a/drivers/irqchip/irq-versatile-fpga.c ++++ b/drivers/irqchip/irq-versatile-fpga.c +@@ -204,7 +204,12 @@ int __init fpga_irq_of_init(struct device_node *node, + if (!parent_irq) + parent_irq = -1; + ++#ifdef CONFIG_ARCH_VERSATILE ++ fpga_irq_init(base, node->name, IRQ_SIC_START, parent_irq, valid_mask, ++ node); ++#else + fpga_irq_init(base, node->name, 0, parent_irq, valid_mask, node); ++#endif + + writel(clear_mask, base + IRQ_ENABLE_CLEAR); + writel(clear_mask, base + FIQ_ENABLE_CLEAR); +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index fbcb6225f794..74a5786ddcce 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1641,6 +1641,7 @@ static void bch_btree_gc(struct cache_set *c) + do { + ret = btree_root(gc_root, c, &op, &writes, &stats); + closure_sync(&writes); ++ cond_resched(); + + if (ret && ret != -EAGAIN) + pr_warn("gc failed!"); +@@ -2037,8 +2038,10 @@ int bch_btree_insert_check_key(struct btree *b, struct btree_op *op, + rw_lock(true, b, b->level); + + if (b->key.ptr[0] != btree_ptr || +- b->seq != seq + 1) ++ b->seq != seq + 1) { ++ op->lock = b->level; + goto out; ++ } + } + + SET_KEY_PTRS(check_key, 1); +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 24a3a1546caa..1b6beb1e3142 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -712,6 +712,8 @@ static void bcache_device_link(struct bcache_device *d, struct cache_set *c, + WARN(sysfs_create_link(&d->kobj, &c->kobj, "cache") || + sysfs_create_link(&c->kobj, &d->kobj, d->name), + "Couldn't create device <-> cache set symlinks"); ++ ++ clear_bit(BCACHE_DEV_UNLINK_DONE, &d->flags); + } + + static void bcache_device_detach(struct bcache_device *d) +@@ -882,8 +884,11 @@ void bch_cached_dev_run(struct cached_dev *dc) + buf[SB_LABEL_SIZE] = '\0'; + env[2] = kasprintf(GFP_KERNEL, "CACHED_LABEL=%s", buf); + +- if (atomic_xchg(&dc->running, 1)) ++ if (atomic_xchg(&dc->running, 1)) { ++ kfree(env[1]); ++ kfree(env[2]); + return; ++ } + + if (!d->c && + BDEV_STATE(&dc->sb) != BDEV_STATE_NONE) { +@@ -2081,8 +2086,10 @@ static int __init bcache_init(void) + closure_debug_init(); + + bcache_major = register_blkdev(0, "bcache"); +- if (bcache_major < 0) ++ if (bcache_major < 0) { ++ unregister_reboot_notifier(&reboot); + return bcache_major; ++ } + + if (!(bcache_wq = create_workqueue("bcache")) || + !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) || +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index f4300e4c0114..d6525c12c8d8 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -323,6 +323,10 @@ void bcache_dev_sectors_dirty_add(struct cache_set *c, unsigned inode, + + static bool dirty_pred(struct keybuf *buf, struct bkey *k) + { ++ struct cached_dev *dc = container_of(buf, struct cached_dev, writeback_keys); ++ ++ BUG_ON(KEY_INODE(k) != dc->disk.id); ++ + return KEY_DIRTY(k); + } + +@@ -372,11 +376,24 @@ next: + } + } + ++/* ++ * Returns true if we scanned the entire disk ++ */ + static bool refill_dirty(struct cached_dev *dc) + { + struct keybuf *buf = &dc->writeback_keys; ++ struct bkey start = KEY(dc->disk.id, 0, 0); + struct bkey end = KEY(dc->disk.id, MAX_KEY_OFFSET, 0); +- bool searched_from_start = false; ++ struct bkey start_pos; ++ ++ /* ++ * make sure keybuf pos is inside the range for this disk - at bringup ++ * we might not be attached yet so this disk's inode nr isn't ++ * initialized then ++ */ ++ if (bkey_cmp(&buf->last_scanned, &start) < 0 || ++ bkey_cmp(&buf->last_scanned, &end) > 0) ++ buf->last_scanned = start; + + if (dc->partial_stripes_expensive) { + refill_full_stripes(dc); +@@ -384,14 +401,20 @@ static bool refill_dirty(struct cached_dev *dc) + return false; + } + +- if (bkey_cmp(&buf->last_scanned, &end) >= 0) { +- buf->last_scanned = KEY(dc->disk.id, 0, 0); +- searched_from_start = true; +- } +- ++ start_pos = buf->last_scanned; + bch_refill_keybuf(dc->disk.c, buf, &end, dirty_pred); + +- return bkey_cmp(&buf->last_scanned, &end) >= 0 && searched_from_start; ++ if (bkey_cmp(&buf->last_scanned, &end) < 0) ++ return false; ++ ++ /* ++ * If we get to the end start scanning again from the beginning, and ++ * only scan up to where we initially started scanning from: ++ */ ++ buf->last_scanned = start; ++ bch_refill_keybuf(dc->disk.c, buf, &start_pos, dirty_pred); ++ ++ return bkey_cmp(&buf->last_scanned, &start_pos) >= 0; + } + + static int bch_writeback_thread(void *arg) +diff --git a/drivers/md/bcache/writeback.h b/drivers/md/bcache/writeback.h +index e2f8598937ac..afe7ecada503 100644 +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -63,7 +63,8 @@ static inline bool should_writeback(struct cached_dev *dc, struct bio *bio, + + static inline void bch_writeback_queue(struct cached_dev *dc) + { +- wake_up_process(dc->writeback_thread); ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) ++ wake_up_process(dc->writeback_thread); + } + + static inline void bch_writeback_add(struct cached_dev *dc) +diff --git a/drivers/md/dm-exception-store.h b/drivers/md/dm-exception-store.h +index 0b2536247cf5..84e27708ad97 100644 +--- a/drivers/md/dm-exception-store.h ++++ b/drivers/md/dm-exception-store.h +@@ -70,7 +70,7 @@ struct dm_exception_store_type { + * Update the metadata with this exception. + */ + void (*commit_exception) (struct dm_exception_store *store, +- struct dm_exception *e, ++ struct dm_exception *e, int valid, + void (*callback) (void *, int success), + void *callback_context); + +diff --git a/drivers/md/dm-snap-persistent.c b/drivers/md/dm-snap-persistent.c +index d6e88178d22c..d3272acc0f0e 100644 +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -700,7 +700,7 @@ static int persistent_prepare_exception(struct dm_exception_store *store, + } + + static void persistent_commit_exception(struct dm_exception_store *store, +- struct dm_exception *e, ++ struct dm_exception *e, int valid, + void (*callback) (void *, int success), + void *callback_context) + { +@@ -709,6 +709,9 @@ static void persistent_commit_exception(struct dm_exception_store *store, + struct core_exception ce; + struct commit_callback *cb; + ++ if (!valid) ++ ps->valid = 0; ++ + ce.old_chunk = e->old_chunk; + ce.new_chunk = e->new_chunk; + write_exception(ps, ps->current_committed++, &ce); +diff --git a/drivers/md/dm-snap-transient.c b/drivers/md/dm-snap-transient.c +index 1ce9a2586e41..31439d53cf7e 100644 +--- a/drivers/md/dm-snap-transient.c ++++ b/drivers/md/dm-snap-transient.c +@@ -52,12 +52,12 @@ static int transient_prepare_exception(struct dm_exception_store *store, + } + + static void transient_commit_exception(struct dm_exception_store *store, +- struct dm_exception *e, ++ struct dm_exception *e, int valid, + void (*callback) (void *, int success), + void *callback_context) + { + /* Just succeed */ +- callback(callback_context, 1); ++ callback(callback_context, valid); + } + + static void transient_usage(struct dm_exception_store *store, +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index c356a10b9ba5..2e9117630dbe 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -1388,8 +1388,9 @@ static void __invalidate_snapshot(struct dm_snapshot *s, int err) + dm_table_event(s->ti->table); + } + +-static void pending_complete(struct dm_snap_pending_exception *pe, int success) ++static void pending_complete(void *context, int success) + { ++ struct dm_snap_pending_exception *pe = context; + struct dm_exception *e; + struct dm_snapshot *s = pe->snap; + struct bio *origin_bios = NULL; +@@ -1460,24 +1461,13 @@ out: + free_pending_exception(pe); + } + +-static void commit_callback(void *context, int success) +-{ +- struct dm_snap_pending_exception *pe = context; +- +- pending_complete(pe, success); +-} +- + static void complete_exception(struct dm_snap_pending_exception *pe) + { + struct dm_snapshot *s = pe->snap; + +- if (unlikely(pe->copy_error)) +- pending_complete(pe, 0); +- +- else +- /* Update the metadata if we are persistent */ +- s->store->type->commit_exception(s->store, &pe->e, +- commit_callback, pe); ++ /* Update the metadata if we are persistent */ ++ s->store->type->commit_exception(s->store, &pe->e, !pe->copy_error, ++ pending_complete, pe); + } + + /* +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c +index 3412b86e79fd..7768de60f699 100644 +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1205,6 +1205,12 @@ static int __reserve_metadata_snap(struct dm_pool_metadata *pmd) + dm_block_t held_root; + + /* ++ * We commit to ensure the btree roots which we increment in a ++ * moment are up to date. ++ */ ++ __commit_transaction(pmd); ++ ++ /* + * Copy the superblock. + */ + dm_sm_inc_block(pmd->metadata_sm, THIN_SUPERBLOCK_LOCATION); +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index b94e4648c199..d633a3921b3c 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1619,6 +1619,7 @@ static void set_pool_mode(struct pool *pool, enum pool_mode new_mode) + case PM_WRITE: + if (old_mode != new_mode) + notify_of_pool_mode_change(pool, "write"); ++ pool->pf.error_if_no_space = pt->requested_pf.error_if_no_space; + dm_pool_metadata_read_write(pool->pmd); + pool->process_bio = process_bio; + pool->process_discard = process_discard; +@@ -2567,8 +2568,8 @@ static void pool_postsuspend(struct dm_target *ti) + struct pool_c *pt = ti->private; + struct pool *pool = pt->pool; + +- cancel_delayed_work(&pool->waker); +- cancel_delayed_work(&pool->no_space_timeout); ++ cancel_delayed_work_sync(&pool->waker); ++ cancel_delayed_work_sync(&pool->no_space_timeout); + flush_workqueue(pool->wq); + (void) commit(pool); + } +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index 7ba85e2b146b..7b4bb1f09b01 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -250,6 +250,16 @@ static void pop_frame(struct del_stack *s) + dm_tm_unlock(s->tm, f->b); + } + ++static void unlock_all_frames(struct del_stack *s) ++{ ++ struct frame *f; ++ ++ while (unprocessed_frames(s)) { ++ f = s->spine + s->top--; ++ dm_tm_unlock(s->tm, f->b); ++ } ++} ++ + int dm_btree_del(struct dm_btree_info *info, dm_block_t root) + { + int r; +@@ -306,9 +316,13 @@ int dm_btree_del(struct dm_btree_info *info, dm_block_t root) + pop_frame(s); + } + } +- + out: ++ if (r) { ++ /* cleanup all frames of del_stack */ ++ unlock_all_frames(s); ++ } + kfree(s); ++ + return r; + } + EXPORT_SYMBOL_GPL(dm_btree_del); +diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c +index 199c9ccd1f5d..032ee39a0e9b 100644 +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -136,7 +136,7 @@ static int brb_push(struct bop_ring_buffer *brb, + return 0; + } + +-static int brb_pop(struct bop_ring_buffer *brb, struct block_op *result) ++static int brb_peek(struct bop_ring_buffer *brb, struct block_op *result) + { + struct block_op *bop; + +@@ -147,6 +147,14 @@ static int brb_pop(struct bop_ring_buffer *brb, struct block_op *result) + result->type = bop->type; + result->block = bop->block; + ++ return 0; ++} ++ ++static int brb_pop(struct bop_ring_buffer *brb) ++{ ++ if (brb_empty(brb)) ++ return -ENODATA; ++ + brb->begin = brb_next(brb, brb->begin); + + return 0; +@@ -211,7 +219,7 @@ static int apply_bops(struct sm_metadata *smm) + while (!brb_empty(&smm->uncommitted)) { + struct block_op bop; + +- r = brb_pop(&smm->uncommitted, &bop); ++ r = brb_peek(&smm->uncommitted, &bop); + if (r) { + DMERR("bug in bop ring buffer"); + break; +@@ -220,6 +228,8 @@ static int apply_bops(struct sm_metadata *smm) + r = commit_bop(smm, &bop); + if (r) + break; ++ ++ brb_pop(&smm->uncommitted); + } + + return r; +@@ -681,7 +691,6 @@ static struct dm_space_map bootstrap_ops = { + static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks) + { + int r, i; +- enum allocation_event ev; + struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); + dm_block_t old_len = smm->ll.nr_blocks; + +@@ -703,11 +712,12 @@ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks) + * allocate any new blocks. + */ + do { +- for (i = old_len; !r && i < smm->begin; i++) { +- r = sm_ll_inc(&smm->ll, i, &ev); +- if (r) +- goto out; +- } ++ for (i = old_len; !r && i < smm->begin; i++) ++ r = add_bop(smm, BOP_INC, i); ++ ++ if (r) ++ goto out; ++ + old_len = smm->begin; + + r = apply_bops(smm); +@@ -752,7 +762,6 @@ int dm_sm_metadata_create(struct dm_space_map *sm, + { + int r; + dm_block_t i; +- enum allocation_event ev; + struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); + + smm->begin = superblock + 1; +@@ -780,7 +789,7 @@ int dm_sm_metadata_create(struct dm_space_map *sm, + * allocated blocks that they were built from. + */ + for (i = superblock; !r && i < smm->begin; i++) +- r = sm_ll_inc(&smm->ll, i, &ev); ++ r = add_bop(smm, BOP_INC, i); + + if (r) + return r; +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index 1f925e856974..46a984291b7d 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -2195,9 +2195,9 @@ static int dvb_frontend_ioctl_legacy(struct file *file, + dev_dbg(fe->dvb->device, "%s: current delivery system on cache: %d, V3 type: %d\n", + __func__, c->delivery_system, fe->ops.info.type); + +- /* Force the CAN_INVERSION_AUTO bit on. If the frontend doesn't +- * do it, it is done for it. */ +- info->caps |= FE_CAN_INVERSION_AUTO; ++ /* Set CAN_INVERSION_AUTO bit on in other than oneshot mode */ ++ if (!(fepriv->tune_mode_flags & FE_TUNE_MODE_ONESHOT)) ++ info->caps |= FE_CAN_INVERSION_AUTO; + err = 0; + break; + } +diff --git a/drivers/media/dvb-frontends/tda1004x.c b/drivers/media/dvb-frontends/tda1004x.c +index a2631be7ffac..08e0f0dd8728 100644 +--- a/drivers/media/dvb-frontends/tda1004x.c ++++ b/drivers/media/dvb-frontends/tda1004x.c +@@ -903,9 +903,18 @@ static int tda1004x_get_fe(struct dvb_frontend *fe) + { + struct dtv_frontend_properties *fe_params = &fe->dtv_property_cache; + struct tda1004x_state* state = fe->demodulator_priv; ++ int status; + + dprintk("%s\n", __func__); + ++ status = tda1004x_read_byte(state, TDA1004X_STATUS_CD); ++ if (status == -1) ++ return -EIO; ++ ++ /* Only update the properties cache if device is locked */ ++ if (!(status & 8)) ++ return 0; ++ + // inversion status + fe_params->inversion = INVERSION_OFF; + if (tda1004x_read_byte(state, TDA1004X_CONFC1) & 0x20) +diff --git a/drivers/media/usb/gspca/ov534.c b/drivers/media/usb/gspca/ov534.c +index 90f0d637cd9d..cd05840abc91 100644 +--- a/drivers/media/usb/gspca/ov534.c ++++ b/drivers/media/usb/gspca/ov534.c +@@ -1490,8 +1490,13 @@ static void sd_set_streamparm(struct gspca_dev *gspca_dev, + struct v4l2_fract *tpf = &cp->timeperframe; + struct sd *sd = (struct sd *) gspca_dev; + +- /* Set requested framerate */ +- sd->frame_rate = tpf->denominator / tpf->numerator; ++ if (tpf->numerator == 0 || tpf->denominator == 0) ++ /* Set default framerate */ ++ sd->frame_rate = 30; ++ else ++ /* Set requested framerate */ ++ sd->frame_rate = tpf->denominator / tpf->numerator; ++ + if (gspca_dev->streaming) + set_frame_rate(gspca_dev); + +diff --git a/drivers/media/usb/gspca/topro.c b/drivers/media/usb/gspca/topro.c +index 640c2fe760b3..a6fbb2a07979 100644 +--- a/drivers/media/usb/gspca/topro.c ++++ b/drivers/media/usb/gspca/topro.c +@@ -4792,7 +4792,11 @@ static void sd_set_streamparm(struct gspca_dev *gspca_dev, + struct v4l2_fract *tpf = &cp->timeperframe; + int fr, i; + +- sd->framerate = tpf->denominator / tpf->numerator; ++ if (tpf->numerator == 0 || tpf->denominator == 0) ++ sd->framerate = 30; ++ else ++ sd->framerate = tpf->denominator / tpf->numerator; ++ + if (gspca_dev->streaming) + setframerate(gspca_dev, v4l2_ctrl_g_ctrl(gspca_dev->exposure)); + +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index d71f5ef036e0..92aeb1d2b41b 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -62,8 +62,7 @@ MODULE_ALIAS("mmc:block"); + #define MMC_SANITIZE_REQ_TIMEOUT 240000 + #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16) + +-#define mmc_req_rel_wr(req) (((req->cmd_flags & REQ_FUA) || \ +- (req->cmd_flags & REQ_META)) && \ ++#define mmc_req_rel_wr(req) ((req->cmd_flags & REQ_FUA) && \ + (rq_data_dir(req) == WRITE)) + #define PACKED_CMD_VER 0x01 + #define PACKED_CMD_WR 0x02 +@@ -1328,13 +1327,9 @@ static void mmc_blk_rw_rq_prep(struct mmc_queue_req *mqrq, + + /* + * Reliable writes are used to implement Forced Unit Access and +- * REQ_META accesses, and are supported only on MMCs. +- * +- * XXX: this really needs a good explanation of why REQ_META +- * is treated special. ++ * are supported only on MMCs. + */ +- bool do_rel_wr = ((req->cmd_flags & REQ_FUA) || +- (req->cmd_flags & REQ_META)) && ++ bool do_rel_wr = (req->cmd_flags & REQ_FUA) && + (rq_data_dir(req) == WRITE) && + (md->flags & MMC_BLK_REL_WR); + +diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c +index 4d721c6e2af0..ae360b3b4fda 100644 +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -670,7 +670,7 @@ try_again: + */ + if (!powered_resume && (rocr & ocr & R4_18V_PRESENT)) { + err = mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_180, +- ocr); ++ ocr_card); + if (err == -EAGAIN) { + sdio_reset(host); + mmc_go_idle(host); +diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c +index b93122636531..8103db25db69 100644 +--- a/drivers/mmc/host/mmci.c ++++ b/drivers/mmc/host/mmci.c +@@ -1860,7 +1860,7 @@ static struct amba_id mmci_ids[] = { + { + .id = 0x00280180, + .mask = 0x00ffffff, +- .data = &variant_u300, ++ .data = &variant_nomadik, + }, + { + .id = 0x00480180, +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c +index 881bf89acfcc..75d3c28940f1 100644 +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2663,7 +2663,7 @@ static int sdhci_runtime_pm_put(struct sdhci_host *host) + + static void sdhci_runtime_pm_bus_on(struct sdhci_host *host) + { +- if (host->runtime_suspended || host->bus_on) ++ if (host->bus_on) + return; + host->bus_on = true; + pm_runtime_get_noresume(host->mmc->parent); +@@ -2671,7 +2671,7 @@ static void sdhci_runtime_pm_bus_on(struct sdhci_host *host) + + static void sdhci_runtime_pm_bus_off(struct sdhci_host *host) + { +- if (host->runtime_suspended || !host->bus_on) ++ if (!host->bus_on) + return; + host->bus_on = false; + pm_runtime_put_noidle(host->mmc->parent); +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index c2d0559115d3..732a8ed571c2 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -187,6 +187,9 @@ static void sja1000_start(struct net_device *dev) + /* clear interrupt flags */ + priv->read_reg(priv, SJA1000_IR); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } +diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c +index 52c42fd49510..a5735a7797f8 100644 +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -117,6 +117,9 @@ MODULE_LICENSE("GPL v2"); + */ + #define EMS_USB_ARM7_CLOCK 8000000 + ++#define CPC_TX_QUEUE_TRIGGER_LOW 25 ++#define CPC_TX_QUEUE_TRIGGER_HIGH 35 ++ + /* + * CAN-Message representation in a CPC_MSG. Message object type is + * CPC_MSG_TYPE_CAN_FRAME or CPC_MSG_TYPE_RTR_FRAME or +@@ -278,6 +281,11 @@ static void ems_usb_read_interrupt_callback(struct urb *urb) + switch (urb->status) { + case 0: + dev->free_slots = dev->intr_in_buffer[1]; ++ if(dev->free_slots > CPC_TX_QUEUE_TRIGGER_HIGH){ ++ if (netif_queue_stopped(netdev)){ ++ netif_wake_queue(netdev); ++ } ++ } + break; + + case -ECONNRESET: /* unlink */ +@@ -529,8 +537,6 @@ static void ems_usb_write_bulk_callback(struct urb *urb) + /* Release context */ + context->echo_index = MAX_TX_URBS; + +- if (netif_queue_stopped(netdev)) +- netif_wake_queue(netdev); + } + + /* +@@ -590,7 +596,7 @@ static int ems_usb_start(struct ems_usb *dev) + int err, i; + + dev->intr_in_buffer[0] = 0; +- dev->free_slots = 15; /* initial size */ ++ dev->free_slots = 50; /* initial size */ + + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; +@@ -841,7 +847,7 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne + + /* Slow down tx path */ + if (atomic_read(&dev->active_tx_urbs) >= MAX_TX_URBS || +- dev->free_slots < 5) { ++ dev->free_slots < CPC_TX_QUEUE_TRIGGER_LOW) { + netif_stop_queue(netdev); + } + } +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +index 1fbeaa9dd202..6ef93562c6b7 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -2401,10 +2401,13 @@ void bnx2x_igu_clear_sb_gen(struct bnx2x *bp, u8 func, u8 idu_sb_id, + AEU_INPUTS_ATTN_BITS_IGU_PARITY_ERROR | \ + AEU_INPUTS_ATTN_BITS_MISC_PARITY_ERROR) + +-#define HW_PRTY_ASSERT_SET_3 (AEU_INPUTS_ATTN_BITS_MCP_LATCHED_ROM_PARITY | \ +- AEU_INPUTS_ATTN_BITS_MCP_LATCHED_UMP_RX_PARITY | \ +- AEU_INPUTS_ATTN_BITS_MCP_LATCHED_UMP_TX_PARITY | \ +- AEU_INPUTS_ATTN_BITS_MCP_LATCHED_SCPAD_PARITY) ++#define HW_PRTY_ASSERT_SET_3_WITHOUT_SCPAD \ ++ (AEU_INPUTS_ATTN_BITS_MCP_LATCHED_ROM_PARITY | \ ++ AEU_INPUTS_ATTN_BITS_MCP_LATCHED_UMP_RX_PARITY | \ ++ AEU_INPUTS_ATTN_BITS_MCP_LATCHED_UMP_TX_PARITY) ++ ++#define HW_PRTY_ASSERT_SET_3 (HW_PRTY_ASSERT_SET_3_WITHOUT_SCPAD | \ ++ AEU_INPUTS_ATTN_BITS_MCP_LATCHED_SCPAD_PARITY) + + #define HW_PRTY_ASSERT_SET_4 (AEU_INPUTS_ATTN_BITS_PGLUE_PARITY_ERROR | \ + AEU_INPUTS_ATTN_BITS_ATC_PARITY_ERROR) +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 242874041ba4..e157adb85b2a 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -4631,9 +4631,7 @@ static bool bnx2x_check_blocks_with_parity3(struct bnx2x *bp, u32 sig, + res |= true; + break; + case AEU_INPUTS_ATTN_BITS_MCP_LATCHED_SCPAD_PARITY: +- if (print) +- _print_next_block((*par_num)++, +- "MCP SCPAD"); ++ (*par_num)++; + /* clear latched SCPAD PATIRY from MCP */ + REG_WR(bp, MISC_REG_AEU_CLR_LATCH_SIGNAL, + 1UL << 10); +@@ -4695,6 +4693,7 @@ static bool bnx2x_parity_attn(struct bnx2x *bp, bool *global, bool print, + (sig[3] & HW_PRTY_ASSERT_SET_3) || + (sig[4] & HW_PRTY_ASSERT_SET_4)) { + int par_num = 0; ++ + DP(NETIF_MSG_HW, "Was parity error: HW block parity attention:\n" + "[0]:0x%08x [1]:0x%08x [2]:0x%08x [3]:0x%08x [4]:0x%08x\n", + sig[0] & HW_PRTY_ASSERT_SET_0, +@@ -4702,9 +4701,18 @@ static bool bnx2x_parity_attn(struct bnx2x *bp, bool *global, bool print, + sig[2] & HW_PRTY_ASSERT_SET_2, + sig[3] & HW_PRTY_ASSERT_SET_3, + sig[4] & HW_PRTY_ASSERT_SET_4); +- if (print) +- netdev_err(bp->dev, +- "Parity errors detected in blocks: "); ++ if (print) { ++ if (((sig[0] & HW_PRTY_ASSERT_SET_0) || ++ (sig[1] & HW_PRTY_ASSERT_SET_1) || ++ (sig[2] & HW_PRTY_ASSERT_SET_2) || ++ (sig[4] & HW_PRTY_ASSERT_SET_4)) || ++ (sig[3] & HW_PRTY_ASSERT_SET_3_WITHOUT_SCPAD)) { ++ netdev_err(bp->dev, ++ "Parity errors detected in blocks: "); ++ } else { ++ print = false; ++ } ++ } + res |= bnx2x_check_blocks_with_parity0(bp, + sig[0] & HW_PRTY_ASSERT_SET_0, &par_num, print); + res |= bnx2x_check_blocks_with_parity1(bp, +diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c +index 988f9fec0bff..d8c1b69d0f66 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -367,6 +367,7 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = { + {IWL_PCI_DEVICE(0x095B, 0x5310, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095B, 0x5302, iwl7265_n_cfg)}, + {IWL_PCI_DEVICE(0x095B, 0x5210, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x5C10, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5012, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5412, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5410, iwl7265_2ac_cfg)}, +@@ -383,10 +384,10 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = { + {IWL_PCI_DEVICE(0x095A, 0x9012, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9110, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9112, iwl7265_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x095A, 0x9210, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x9210, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095B, 0x9200, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9510, iwl7265_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x095A, 0x9310, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x9310, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9410, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5020, iwl7265_2n_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x502A, iwl7265_2n_cfg)}, +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c +index 7c7a388c85ab..126f641a9582 100644 +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -1133,8 +1133,10 @@ int acpiphp_enable_slot(struct acpiphp_slot *slot) + { + pci_lock_rescan_remove(); + +- if (slot->flags & SLOT_IS_GOING_AWAY) ++ if (slot->flags & SLOT_IS_GOING_AWAY) { ++ pci_unlock_rescan_remove(); + return -ENODEV; ++ } + + mutex_lock(&slot->crit_sect); + /* configure all functions */ +diff --git a/drivers/pci/pcie/aer/aerdrv.c b/drivers/pci/pcie/aer/aerdrv.c +index 0bf82a20a0fb..48d21e0edd56 100644 +--- a/drivers/pci/pcie/aer/aerdrv.c ++++ b/drivers/pci/pcie/aer/aerdrv.c +@@ -262,7 +262,6 @@ static struct aer_rpc *aer_alloc_rpc(struct pcie_device *dev) + rpc->rpd = dev; + INIT_WORK(&rpc->dpc_handler, aer_isr); + mutex_init(&rpc->rpc_mutex); +- init_waitqueue_head(&rpc->wait_release); + + /* Use PCIe bus function to store rpc into PCIe device */ + set_service_data(dev, rpc); +@@ -285,8 +284,7 @@ static void aer_remove(struct pcie_device *dev) + if (rpc->isr) + free_irq(dev->irq, dev); + +- wait_event(rpc->wait_release, rpc->prod_idx == rpc->cons_idx); +- ++ flush_work(&rpc->dpc_handler); + aer_disable_rootport(rpc); + kfree(rpc); + set_service_data(dev, NULL); +diff --git a/drivers/pci/pcie/aer/aerdrv.h b/drivers/pci/pcie/aer/aerdrv.h +index 84420b7c9456..945c939a86c5 100644 +--- a/drivers/pci/pcie/aer/aerdrv.h ++++ b/drivers/pci/pcie/aer/aerdrv.h +@@ -72,7 +72,6 @@ struct aer_rpc { + * recovery on the same + * root port hierarchy + */ +- wait_queue_head_t wait_release; + }; + + struct aer_broadcast_data { +diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c +index b2c8881da764..777edcc4aab6 100644 +--- a/drivers/pci/pcie/aer/aerdrv_core.c ++++ b/drivers/pci/pcie/aer/aerdrv_core.c +@@ -785,8 +785,6 @@ void aer_isr(struct work_struct *work) + while (get_e_source(rpc, &e_src)) + aer_isr_one_error(p_device, &e_src); + mutex_unlock(&rpc->rpc_mutex); +- +- wake_up(&rpc->wait_release); + } + + /** +diff --git a/drivers/pci/xen-pcifront.c b/drivers/pci/xen-pcifront.c +index 179b8edc2262..318d535e337d 100644 +--- a/drivers/pci/xen-pcifront.c ++++ b/drivers/pci/xen-pcifront.c +@@ -52,7 +52,7 @@ struct pcifront_device { + }; + + struct pcifront_sd { +- int domain; ++ struct pci_sysdata sd; + struct pcifront_device *pdev; + }; + +@@ -66,7 +66,9 @@ static inline void pcifront_init_sd(struct pcifront_sd *sd, + unsigned int domain, unsigned int bus, + struct pcifront_device *pdev) + { +- sd->domain = domain; ++ /* Because we do not expose that information via XenBus. */ ++ sd->sd.node = first_online_node; ++ sd->sd.domain = domain; + sd->pdev = pdev; + } + +@@ -464,8 +466,8 @@ static int pcifront_scan_root(struct pcifront_device *pdev, + dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n", + domain, bus); + +- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL); +- sd = kmalloc(sizeof(*sd), GFP_KERNEL); ++ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL); ++ sd = kzalloc(sizeof(*sd), GFP_KERNEL); + if (!bus_entry || !sd) { + err = -ENOMEM; + goto err_out; +diff --git a/drivers/power/wm831x_power.c b/drivers/power/wm831x_power.c +index 3bed2f55cf7d..3ccadf631d45 100644 +--- a/drivers/power/wm831x_power.c ++++ b/drivers/power/wm831x_power.c +@@ -567,7 +567,7 @@ static int wm831x_power_probe(struct platform_device *pdev) + + irq = wm831x_irq(wm831x, platform_get_irq_byname(pdev, "SYSLO")); + ret = request_threaded_irq(irq, NULL, wm831x_syslo_irq, +- IRQF_TRIGGER_RISING, "System power low", ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "System power low", + power); + if (ret != 0) { + dev_err(&pdev->dev, "Failed to request SYSLO IRQ %d: %d\n", +@@ -577,7 +577,7 @@ static int wm831x_power_probe(struct platform_device *pdev) + + irq = wm831x_irq(wm831x, platform_get_irq_byname(pdev, "PWR SRC")); + ret = request_threaded_irq(irq, NULL, wm831x_pwr_src_irq, +- IRQF_TRIGGER_RISING, "Power source", ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "Power source", + power); + if (ret != 0) { + dev_err(&pdev->dev, "Failed to request PWR SRC IRQ %d: %d\n", +@@ -590,7 +590,7 @@ static int wm831x_power_probe(struct platform_device *pdev) + platform_get_irq_byname(pdev, + wm831x_bat_irqs[i])); + ret = request_threaded_irq(irq, NULL, wm831x_bat_irq, +- IRQF_TRIGGER_RISING, ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, + wm831x_bat_irqs[i], + power); + if (ret != 0) { +diff --git a/drivers/powercap/intel_rapl.c b/drivers/powercap/intel_rapl.c +index 3c6768378a94..4048d7f5babd 100644 +--- a/drivers/powercap/intel_rapl.c ++++ b/drivers/powercap/intel_rapl.c +@@ -1194,10 +1194,13 @@ static int rapl_detect_domains(struct rapl_package *rp, int cpu) + + for (rd = rp->domains; rd < rp->domains + rp->nr_domains; rd++) { + /* check if the domain is locked by BIOS */ +- if (rapl_read_data_raw(rd, FW_LOCK, false, &locked)) { ++ ret = rapl_read_data_raw(rd, FW_LOCK, false, &locked); ++ if (ret) ++ return ret; ++ if (locked) { + pr_info("RAPL package %d domain %s locked by BIOS\n", + rp->id, rd->name); +- rd->state |= DOMAIN_STATE_BIOS_LOCKED; ++ rd->state |= DOMAIN_STATE_BIOS_LOCKED; + } + } + +diff --git a/drivers/s390/block/dasd_alias.c b/drivers/s390/block/dasd_alias.c +index a2597e683e79..6a64e86e8ccd 100644 +--- a/drivers/s390/block/dasd_alias.c ++++ b/drivers/s390/block/dasd_alias.c +@@ -264,8 +264,10 @@ void dasd_alias_disconnect_device_from_lcu(struct dasd_device *device) + spin_unlock_irqrestore(&lcu->lock, flags); + cancel_work_sync(&lcu->suc_data.worker); + spin_lock_irqsave(&lcu->lock, flags); +- if (device == lcu->suc_data.device) ++ if (device == lcu->suc_data.device) { ++ dasd_put_device(device); + lcu->suc_data.device = NULL; ++ } + } + was_pending = 0; + if (device == lcu->ruac_data.device) { +@@ -273,8 +275,10 @@ void dasd_alias_disconnect_device_from_lcu(struct dasd_device *device) + was_pending = 1; + cancel_delayed_work_sync(&lcu->ruac_data.dwork); + spin_lock_irqsave(&lcu->lock, flags); +- if (device == lcu->ruac_data.device) ++ if (device == lcu->ruac_data.device) { ++ dasd_put_device(device); + lcu->ruac_data.device = NULL; ++ } + } + private->lcu = NULL; + spin_unlock_irqrestore(&lcu->lock, flags); +@@ -549,8 +553,10 @@ static void lcu_update_work(struct work_struct *work) + if ((rc && (rc != -EOPNOTSUPP)) || (lcu->flags & NEED_UAC_UPDATE)) { + DBF_DEV_EVENT(DBF_WARNING, device, "could not update" + " alias data in lcu (rc = %d), retry later", rc); +- schedule_delayed_work(&lcu->ruac_data.dwork, 30*HZ); ++ if (!schedule_delayed_work(&lcu->ruac_data.dwork, 30*HZ)) ++ dasd_put_device(device); + } else { ++ dasd_put_device(device); + lcu->ruac_data.device = NULL; + lcu->flags &= ~UPDATE_PENDING; + } +@@ -593,8 +599,10 @@ static int _schedule_lcu_update(struct alias_lcu *lcu, + */ + if (!usedev) + return -EINVAL; ++ dasd_get_device(usedev); + lcu->ruac_data.device = usedev; +- schedule_delayed_work(&lcu->ruac_data.dwork, 0); ++ if (!schedule_delayed_work(&lcu->ruac_data.dwork, 0)) ++ dasd_put_device(usedev); + return 0; + } + +@@ -722,7 +730,7 @@ static int reset_summary_unit_check(struct alias_lcu *lcu, + ASCEBC((char *) &cqr->magic, 4); + ccw = cqr->cpaddr; + ccw->cmd_code = DASD_ECKD_CCW_RSCK; +- ccw->flags = 0 ; ++ ccw->flags = CCW_FLAG_SLI; + ccw->count = 16; + ccw->cda = (__u32)(addr_t) cqr->data; + ((char *)cqr->data)[0] = reason; +@@ -926,6 +934,7 @@ static void summary_unit_check_handling_work(struct work_struct *work) + /* 3. read new alias configuration */ + _schedule_lcu_update(lcu, device); + lcu->suc_data.device = NULL; ++ dasd_put_device(device); + spin_unlock_irqrestore(&lcu->lock, flags); + } + +@@ -985,6 +994,8 @@ void dasd_alias_handle_summary_unit_check(struct dasd_device *device, + } + lcu->suc_data.reason = reason; + lcu->suc_data.device = device; ++ dasd_get_device(device); + spin_unlock(&lcu->lock); +- schedule_work(&lcu->suc_data.worker); ++ if (!schedule_work(&lcu->suc_data.worker)) ++ dasd_put_device(device); + }; +diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h +index 34452ea386ac..52636cfbab8f 100644 +--- a/drivers/scsi/megaraid/megaraid_sas.h ++++ b/drivers/scsi/megaraid/megaraid_sas.h +@@ -334,6 +334,8 @@ enum MR_EVT_ARGS { + MR_EVT_ARGS_GENERIC, + }; + ++ ++#define SGE_BUFFER_SIZE 4096 + /* + * define constants for device list query options + */ +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index c80afde97e96..9f833f1504cc 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3821,7 +3821,7 @@ static int megasas_init_fw(struct megasas_instance *instance) + } + } + instance->max_sectors_per_req = instance->max_num_sge * +- PAGE_SIZE / 512; ++ SGE_BUFFER_SIZE / 512; + if (tmp_sectors && (instance->max_sectors_per_req > tmp_sectors)) + instance->max_sectors_per_req = tmp_sectors; + +@@ -5281,6 +5281,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) + int i; + int error = 0; + compat_uptr_t ptr; ++ unsigned long local_raw_ptr; ++ u32 local_sense_off; ++ u32 local_sense_len; + + if (clear_user(ioc, sizeof(*ioc))) + return -EFAULT; +@@ -5298,9 +5301,15 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) + * sense_len is not null, so prepare the 64bit value under + * the same condition. + */ +- if (ioc->sense_len) { ++ if (get_user(local_raw_ptr, ioc->frame.raw) || ++ get_user(local_sense_off, &ioc->sense_off) || ++ get_user(local_sense_len, &ioc->sense_len)) ++ return -EFAULT; ++ ++ ++ if (local_sense_len) { + void __user **sense_ioc_ptr = +- (void __user **)(ioc->frame.raw + ioc->sense_off); ++ (void __user **)((u8*)local_raw_ptr + local_sense_off); + compat_uptr_t *sense_cioc_ptr = + (compat_uptr_t *)(cioc->frame.raw + cioc->sense_off); + if (get_user(ptr, sense_cioc_ptr) || +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c +index eba183c428cf..3643bbf5456d 100644 +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev) + static int ses_recv_diag(struct scsi_device *sdev, int page_code, + void *buf, int bufflen) + { ++ int ret; + unsigned char cmd[] = { + RECEIVE_DIAGNOSTIC, + 1, /* Set PCV bit */ +@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code, + bufflen & 0xff, + 0 + }; ++ unsigned char recv_page_code; + +- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, ++ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, + NULL, SES_TIMEOUT, SES_RETRIES, NULL); ++ if (unlikely(!ret)) ++ return ret; ++ ++ recv_page_code = ((unsigned char *)buf)[0]; ++ ++ if (likely(recv_page_code == page_code)) ++ return ret; ++ ++ /* successful diagnostic but wrong page code. This happens to some ++ * USB devices, just print a message and pretend there was an error */ ++ ++ sdev_printk(KERN_ERR, sdev, ++ "Wrong diagnostic page; asked for %d got %u\n", ++ page_code, recv_page_code); ++ ++ return -EINVAL; + } + + static int ses_send_diag(struct scsi_device *sdev, int page_code, +@@ -436,7 +454,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, + if (desc_ptr) + desc_ptr += len; + +- if (addl_desc_ptr) ++ if (addl_desc_ptr && ++ /* only find additional descriptions for specific devices */ ++ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || ++ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || ++ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || ++ /* these elements are optional */ ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || ++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) + addl_desc_ptr += addl_desc_ptr[1] + 2; + + } +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 3bb6646bb406..f9da66fa850b 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1610,8 +1610,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + vm_srb->win8_extension.time_out_value = 60; + + vm_srb->win8_extension.srb_flags |= +- (SRB_FLAGS_QUEUE_ACTION_ENABLE | +- SRB_FLAGS_DISABLE_SYNCH_TRANSFER); ++ SRB_FLAGS_DISABLE_SYNCH_TRANSFER; + + /* Build the SRB */ + switch (scmnd->sc_data_direction) { +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index f89b24a09b19..231d63caa663 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -314,7 +314,8 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + return 0; + } + +-static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success) ++static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success, ++ int *post_ret) + { + unsigned char *buf, *addr; + struct scatterlist *sg; +@@ -378,7 +379,8 @@ sbc_execute_rw(struct se_cmd *cmd) + cmd->data_direction); + } + +-static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success) ++static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success, ++ int *post_ret) + { + struct se_device *dev = cmd->se_dev; + +@@ -388,8 +390,10 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success) + * sent to the backend driver. + */ + spin_lock_irq(&cmd->t_state_lock); +- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) ++ if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) { + cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST; ++ *post_ret = 1; ++ } + spin_unlock_irq(&cmd->t_state_lock); + + /* +@@ -401,7 +405,8 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success) + return TCM_NO_SENSE; + } + +-static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success) ++static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success, ++ int *post_ret) + { + struct se_device *dev = cmd->se_dev; + struct scatterlist *write_sg = NULL, *sg; +@@ -497,11 +502,11 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool succes + + if (block_size < PAGE_SIZE) { + sg_set_page(&write_sg[i], m.page, block_size, +- block_size); ++ m.piter.sg->offset + block_size); + } else { + sg_miter_next(&m); + sg_set_page(&write_sg[i], m.page, block_size, +- 0); ++ m.piter.sg->offset); + } + len -= block_size; + i++; +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 6fc38903046c..7afea9b59e2c 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1581,7 +1581,7 @@ bool target_stop_cmd(struct se_cmd *cmd, unsigned long *flags) + void transport_generic_request_failure(struct se_cmd *cmd, + sense_reason_t sense_reason) + { +- int ret = 0; ++ int ret = 0, post_ret = 0; + + pr_debug("-----[ Storage Engine Exception for cmd: %p ITT: 0x%08x" + " CDB: 0x%02x\n", cmd, cmd->se_tfo->get_task_tag(cmd), +@@ -1604,7 +1604,7 @@ void transport_generic_request_failure(struct se_cmd *cmd, + */ + if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) && + cmd->transport_complete_callback) +- cmd->transport_complete_callback(cmd, false); ++ cmd->transport_complete_callback(cmd, false, &post_ret); + + switch (sense_reason) { + case TCM_NON_EXISTENT_LUN: +@@ -1940,11 +1940,13 @@ static void target_complete_ok_work(struct work_struct *work) + */ + if (cmd->transport_complete_callback) { + sense_reason_t rc; ++ bool caw = (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE); ++ bool zero_dl = !(cmd->data_length); ++ int post_ret = 0; + +- rc = cmd->transport_complete_callback(cmd, true); +- if (!rc && !(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE_POST)) { +- if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) && +- !cmd->data_length) ++ rc = cmd->transport_complete_callback(cmd, true, &post_ret); ++ if (!rc && !post_ret) { ++ if (caw && zero_dl) + goto queue_rsp; + + return; +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 2aca88715632..584514c7ed1f 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1810,6 +1810,11 @@ static const struct usb_device_id acm_ids[] = { + }, + #endif + ++ /*Samsung phone in firmware update mode */ ++ { USB_DEVICE(0x04e8, 0x685d), ++ .driver_info = IGNORE_DEVICE, ++ }, ++ + /* Exclude Infineon Flash Loader utility */ + { USB_DEVICE(0x058b, 0x0041), + .driver_info = IGNORE_DEVICE, +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 02e6fe228a63..21bf168981f9 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -162,6 +162,8 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ ++ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ ++ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ + { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 81f6a572f016..9bab34cf01d4 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -315,6 +315,7 @@ static void option_instat_callback(struct urb *urb); + #define TOSHIBA_PRODUCT_G450 0x0d45 + + #define ALINK_VENDOR_ID 0x1e0e ++#define SIMCOM_PRODUCT_SIM7100E 0x9001 /* Yes, ALINK_VENDOR_ID */ + #define ALINK_PRODUCT_PH300 0x9100 + #define ALINK_PRODUCT_3GU 0x9200 + +@@ -615,6 +616,10 @@ static const struct option_blacklist_info zte_1255_blacklist = { + .reserved = BIT(3) | BIT(4), + }; + ++static const struct option_blacklist_info simcom_sim7100e_blacklist = { ++ .reserved = BIT(5) | BIT(6), ++}; ++ + static const struct option_blacklist_info telit_le910_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(2), +@@ -1130,6 +1135,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC650) }, + { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6000)}, /* ZTE AC8700 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(QUALCOMM_VENDOR_ID, 0x6001, 0xff, 0xff, 0xff), /* 4G LTE usb-modem U901 */ ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ +@@ -1645,6 +1652,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) }, + { USB_DEVICE(ALINK_VENDOR_ID, ALINK_PRODUCT_PH300) }, + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E), ++ .driver_info = (kernel_ulong_t)&simcom_sim7100e_blacklist }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), + .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist + }, +diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c +index fed0ce198ae3..64eba4f51f71 100644 +--- a/drivers/virtio/virtio.c ++++ b/drivers/virtio/virtio.c +@@ -249,6 +249,7 @@ static int virtio_init(void) + static void __exit virtio_exit(void) + { + bus_unregister(&virtio_bus); ++ ida_destroy(&virtio_index_ida); + } + core_initcall(virtio_init); + module_exit(virtio_exit); +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index f48d5fc352a9..469051b01fbf 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2336,6 +2336,7 @@ int open_ctree(struct super_block *sb, + if (btrfs_check_super_csum(bh->b_data)) { + printk(KERN_ERR "BTRFS: superblock checksum mismatch\n"); + err = -EINVAL; ++ brelse(bh); + goto fail_alloc; + } + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 08824fe6ef44..fb37441a592f 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7511,15 +7511,28 @@ int btrfs_readpage(struct file *file, struct page *page) + static int btrfs_writepage(struct page *page, struct writeback_control *wbc) + { + struct extent_io_tree *tree; +- ++ struct inode *inode = page->mapping->host; ++ int ret; + + if (current->flags & PF_MEMALLOC) { + redirty_page_for_writepage(wbc, page); + unlock_page(page); + return 0; + } ++ ++ /* ++ * If we are under memory pressure we will call this directly from the ++ * VM, we need to make sure we have the inode referenced for the ordered ++ * extent. If not just return like we didn't do anything. ++ */ ++ if (!igrab(inode)) { ++ redirty_page_for_writepage(wbc, page); ++ return AOP_WRITEPAGE_ACTIVATE; ++ } + tree = &BTRFS_I(page->mapping->host)->io_tree; +- return extent_write_full_page(tree, page, btrfs_get_extent, wbc); ++ ret = extent_write_full_page(tree, page, btrfs_get_extent, wbc); ++ btrfs_add_delayed_iput(inode); ++ return ret; + } + + static int btrfs_writepages(struct address_space *mapping, +@@ -8612,9 +8625,11 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry, + /* + * 2 items for inode item and ref + * 2 items for dir items ++ * 1 item for updating parent inode item ++ * 1 item for the inline extent item + * 1 item for xattr if selinux is on + */ +- trans = btrfs_start_transaction(root, 5); ++ trans = btrfs_start_transaction(root, 7); + if (IS_ERR(trans)) + return PTR_ERR(trans); + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 20d793542096..0fd23ab3b4ad 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -1377,7 +1377,21 @@ static int read_symlink(struct btrfs_root *root, + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret); ++ if (ret) { ++ /* ++ * An empty symlink inode. Can happen in rare error paths when ++ * creating a symlink (transaction committed before the inode ++ * eviction handler removed the symlink inode items and a crash ++ * happened in between or the subvol was snapshoted in between). ++ * Print an informative message to dmesg/syslog so that the user ++ * can delete the symlink. ++ */ ++ btrfs_err(root->fs_info, ++ "Found empty symlink inode %llu at root %llu", ++ ino, root->root_key.objectid); ++ ret = -EIO; ++ goto out; ++ } + + ei = btrfs_item_ptr(path->nodes[0], path->slots[0], + struct btrfs_file_extent_item); +diff --git a/fs/dcache.c b/fs/dcache.c +index 65ccdf0e2854..9b235362efcd 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -439,42 +439,12 @@ void d_drop(struct dentry *dentry) + } + EXPORT_SYMBOL(d_drop); + +-/* +- * Finish off a dentry we've decided to kill. +- * dentry->d_lock must be held, returns with it unlocked. +- * If ref is non-zero, then decrement the refcount too. +- * Returns dentry requiring refcount drop, or NULL if we're done. +- */ +-static struct dentry * +-dentry_kill(struct dentry *dentry, int unlock_on_failure) +- __releases(dentry->d_lock) ++static void __dentry_kill(struct dentry *dentry) + { +- struct inode *inode; + struct dentry *parent = NULL; + bool can_free = true; +- +- if (unlikely(dentry->d_flags & DCACHE_DENTRY_KILLED)) { +- can_free = dentry->d_flags & DCACHE_MAY_FREE; +- spin_unlock(&dentry->d_lock); +- goto out; +- } +- +- inode = dentry->d_inode; +- if (inode && !spin_trylock(&inode->i_lock)) { +-relock: +- if (unlock_on_failure) { +- spin_unlock(&dentry->d_lock); +- cpu_relax(); +- } +- return dentry; /* try again with same dentry */ +- } + if (!IS_ROOT(dentry)) + parent = dentry->d_parent; +- if (parent && !spin_trylock(&parent->d_lock)) { +- if (inode) +- spin_unlock(&inode->i_lock); +- goto relock; +- } + + /* + * The dentry is now unrecoverably dead to the world. +@@ -518,9 +488,74 @@ relock: + can_free = false; + } + spin_unlock(&dentry->d_lock); +-out: + if (likely(can_free)) + dentry_free(dentry); ++} ++ ++/* ++ * Finish off a dentry we've decided to kill. ++ * dentry->d_lock must be held, returns with it unlocked. ++ * If ref is non-zero, then decrement the refcount too. ++ * Returns dentry requiring refcount drop, or NULL if we're done. ++ */ ++static struct dentry *dentry_kill(struct dentry *dentry) ++ __releases(dentry->d_lock) ++{ ++ struct inode *inode = dentry->d_inode; ++ struct dentry *parent = NULL; ++ ++ if (inode && unlikely(!spin_trylock(&inode->i_lock))) ++ goto failed; ++ ++ if (!IS_ROOT(dentry)) { ++ parent = dentry->d_parent; ++ if (unlikely(!spin_trylock(&parent->d_lock))) { ++ if (inode) ++ spin_unlock(&inode->i_lock); ++ goto failed; ++ } ++ } ++ ++ __dentry_kill(dentry); ++ return parent; ++ ++failed: ++ spin_unlock(&dentry->d_lock); ++ cpu_relax(); ++ return dentry; /* try again with same dentry */ ++} ++ ++static inline struct dentry *lock_parent(struct dentry *dentry) ++{ ++ struct dentry *parent = dentry->d_parent; ++ if (IS_ROOT(dentry)) ++ return NULL; ++ if (unlikely((int)dentry->d_lockref.count < 0)) ++ return NULL; ++ if (likely(spin_trylock(&parent->d_lock))) ++ return parent; ++ rcu_read_lock(); ++ spin_unlock(&dentry->d_lock); ++again: ++ parent = ACCESS_ONCE(dentry->d_parent); ++ spin_lock(&parent->d_lock); ++ /* ++ * We can't blindly lock dentry until we are sure ++ * that we won't violate the locking order. ++ * Any changes of dentry->d_parent must have ++ * been done with parent->d_lock held, so ++ * spin_lock() above is enough of a barrier ++ * for checking if it's still our child. ++ */ ++ if (unlikely(parent != dentry->d_parent)) { ++ spin_unlock(&parent->d_lock); ++ goto again; ++ } ++ rcu_read_unlock(); ++ if (parent != dentry) ++ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED); ++ else ++ parent = NULL; + return parent; + } + +@@ -580,7 +615,7 @@ repeat: + return; + + kill_it: +- dentry = dentry_kill(dentry, 1); ++ dentry = dentry_kill(dentry); + if (dentry) + goto repeat; + } +@@ -798,8 +833,11 @@ static void shrink_dentry_list(struct list_head *list) + struct dentry *dentry, *parent; + + while (!list_empty(list)) { ++ struct inode *inode; + dentry = list_entry(list->prev, struct dentry, d_lru); + spin_lock(&dentry->d_lock); ++ parent = lock_parent(dentry); ++ + /* + * The dispose list is isolated and dentries are not accounted + * to the LRU here, so we can simply remove it from the list +@@ -813,26 +851,33 @@ static void shrink_dentry_list(struct list_head *list) + */ + if ((int)dentry->d_lockref.count > 0) { + spin_unlock(&dentry->d_lock); ++ if (parent) ++ spin_unlock(&parent->d_lock); + continue; + } + +- parent = dentry_kill(dentry, 0); +- /* +- * If dentry_kill returns NULL, we have nothing more to do. +- */ +- if (!parent) ++ ++ if (unlikely(dentry->d_flags & DCACHE_DENTRY_KILLED)) { ++ bool can_free = dentry->d_flags & DCACHE_MAY_FREE; ++ spin_unlock(&dentry->d_lock); ++ if (parent) ++ spin_unlock(&parent->d_lock); ++ if (can_free) ++ dentry_free(dentry); + continue; ++ } + +- if (unlikely(parent == dentry)) { +- /* +- * trylocks have failed and d_lock has been held the +- * whole time, so it could not have been added to any +- * other lists. Just add it back to the shrink list. +- */ ++ inode = dentry->d_inode; ++ if (inode && unlikely(!spin_trylock(&inode->i_lock))) { + d_shrink_add(dentry, list); + spin_unlock(&dentry->d_lock); ++ if (parent) ++ spin_unlock(&parent->d_lock); + continue; + } ++ ++ __dentry_kill(dentry); ++ + /* + * We need to prune ancestors too. This is necessary to prevent + * quadratic behavior of shrink_dcache_parent(), but is also +@@ -840,8 +885,26 @@ static void shrink_dentry_list(struct list_head *list) + * fragmentation. + */ + dentry = parent; +- while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) +- dentry = dentry_kill(dentry, 1); ++ while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) { ++ parent = lock_parent(dentry); ++ if (dentry->d_lockref.count != 1) { ++ dentry->d_lockref.count--; ++ spin_unlock(&dentry->d_lock); ++ if (parent) ++ spin_unlock(&parent->d_lock); ++ break; ++ } ++ inode = dentry->d_inode; /* can't be NULL */ ++ if (unlikely(!spin_trylock(&inode->i_lock))) { ++ spin_unlock(&dentry->d_lock); ++ if (parent) ++ spin_unlock(&parent->d_lock); ++ cpu_relax(); ++ continue; ++ } ++ __dentry_kill(dentry); ++ dentry = parent; ++ } + } + } + +diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c +index fe649d325b1f..ce653dfb0ae3 100644 +--- a/fs/hostfs/hostfs_kern.c ++++ b/fs/hostfs/hostfs_kern.c +@@ -720,15 +720,13 @@ static int hostfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, + + init_special_inode(inode, mode, dev); + err = do_mknod(name, mode, MAJOR(dev), MINOR(dev)); +- if (!err) ++ if (err) + goto out_free; + + err = read_name(inode, name); + __putname(name); + if (err) + goto out_put; +- if (err) +- goto out_put; + + d_instantiate(dentry, inode); + return 0; +diff --git a/fs/lockd/host.c b/fs/lockd/host.c +index 969d589c848d..b5f3c3ab0d5f 100644 +--- a/fs/lockd/host.c ++++ b/fs/lockd/host.c +@@ -116,7 +116,7 @@ static struct nlm_host *nlm_alloc_host(struct nlm_lookup_host_info *ni, + atomic_inc(&nsm->sm_count); + else { + host = NULL; +- nsm = nsm_get_handle(ni->sap, ni->salen, ++ nsm = nsm_get_handle(ni->net, ni->sap, ni->salen, + ni->hostname, ni->hostname_len); + if (unlikely(nsm == NULL)) { + dprintk("lockd: %s failed; no nsm handle\n", +@@ -534,17 +534,18 @@ static struct nlm_host *next_host_state(struct hlist_head *cache, + + /** + * nlm_host_rebooted - Release all resources held by rebooted host ++ * @net: network namespace + * @info: pointer to decoded results of NLM_SM_NOTIFY call + * + * We were notified that the specified host has rebooted. Release + * all resources held by that peer. + */ +-void nlm_host_rebooted(const struct nlm_reboot *info) ++void nlm_host_rebooted(const struct net *net, const struct nlm_reboot *info) + { + struct nsm_handle *nsm; + struct nlm_host *host; + +- nsm = nsm_reboot_lookup(info); ++ nsm = nsm_reboot_lookup(net, info); + if (unlikely(nsm == NULL)) + return; + +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c +index 6ae664b489af..13fac49aff7f 100644 +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -51,7 +51,6 @@ struct nsm_res { + }; + + static const struct rpc_program nsm_program; +-static LIST_HEAD(nsm_handles); + static DEFINE_SPINLOCK(nsm_lock); + + /* +@@ -259,33 +258,35 @@ void nsm_unmonitor(const struct nlm_host *host) + } + } + +-static struct nsm_handle *nsm_lookup_hostname(const char *hostname, +- const size_t len) ++static struct nsm_handle *nsm_lookup_hostname(const struct list_head *nsm_handles, ++ const char *hostname, const size_t len) + { + struct nsm_handle *nsm; + +- list_for_each_entry(nsm, &nsm_handles, sm_link) ++ list_for_each_entry(nsm, nsm_handles, sm_link) + if (strlen(nsm->sm_name) == len && + memcmp(nsm->sm_name, hostname, len) == 0) + return nsm; + return NULL; + } + +-static struct nsm_handle *nsm_lookup_addr(const struct sockaddr *sap) ++static struct nsm_handle *nsm_lookup_addr(const struct list_head *nsm_handles, ++ const struct sockaddr *sap) + { + struct nsm_handle *nsm; + +- list_for_each_entry(nsm, &nsm_handles, sm_link) ++ list_for_each_entry(nsm, nsm_handles, sm_link) + if (rpc_cmp_addr(nsm_addr(nsm), sap)) + return nsm; + return NULL; + } + +-static struct nsm_handle *nsm_lookup_priv(const struct nsm_private *priv) ++static struct nsm_handle *nsm_lookup_priv(const struct list_head *nsm_handles, ++ const struct nsm_private *priv) + { + struct nsm_handle *nsm; + +- list_for_each_entry(nsm, &nsm_handles, sm_link) ++ list_for_each_entry(nsm, nsm_handles, sm_link) + if (memcmp(nsm->sm_priv.data, priv->data, + sizeof(priv->data)) == 0) + return nsm; +@@ -350,6 +351,7 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, + + /** + * nsm_get_handle - Find or create a cached nsm_handle ++ * @net: network namespace + * @sap: pointer to socket address of handle to find + * @salen: length of socket address + * @hostname: pointer to C string containing hostname to find +@@ -362,11 +364,13 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, + * @hostname cannot be found in the handle cache. Returns NULL if + * an error occurs. + */ +-struct nsm_handle *nsm_get_handle(const struct sockaddr *sap, ++struct nsm_handle *nsm_get_handle(const struct net *net, ++ const struct sockaddr *sap, + const size_t salen, const char *hostname, + const size_t hostname_len) + { + struct nsm_handle *cached, *new = NULL; ++ struct lockd_net *ln = net_generic(net, lockd_net_id); + + if (hostname && memchr(hostname, '/', hostname_len) != NULL) { + if (printk_ratelimit()) { +@@ -381,9 +385,10 @@ retry: + spin_lock(&nsm_lock); + + if (nsm_use_hostnames && hostname != NULL) +- cached = nsm_lookup_hostname(hostname, hostname_len); ++ cached = nsm_lookup_hostname(&ln->nsm_handles, ++ hostname, hostname_len); + else +- cached = nsm_lookup_addr(sap); ++ cached = nsm_lookup_addr(&ln->nsm_handles, sap); + + if (cached != NULL) { + atomic_inc(&cached->sm_count); +@@ -397,7 +402,7 @@ retry: + } + + if (new != NULL) { +- list_add(&new->sm_link, &nsm_handles); ++ list_add(&new->sm_link, &ln->nsm_handles); + spin_unlock(&nsm_lock); + dprintk("lockd: created nsm_handle for %s (%s)\n", + new->sm_name, new->sm_addrbuf); +@@ -414,19 +419,22 @@ retry: + + /** + * nsm_reboot_lookup - match NLMPROC_SM_NOTIFY arguments to an nsm_handle ++ * @net: network namespace + * @info: pointer to NLMPROC_SM_NOTIFY arguments + * + * Returns a matching nsm_handle if found in the nsm cache. The returned + * nsm_handle's reference count is bumped. Otherwise returns NULL if some + * error occurred. + */ +-struct nsm_handle *nsm_reboot_lookup(const struct nlm_reboot *info) ++struct nsm_handle *nsm_reboot_lookup(const struct net *net, ++ const struct nlm_reboot *info) + { + struct nsm_handle *cached; ++ struct lockd_net *ln = net_generic(net, lockd_net_id); + + spin_lock(&nsm_lock); + +- cached = nsm_lookup_priv(&info->priv); ++ cached = nsm_lookup_priv(&ln->nsm_handles, &info->priv); + if (unlikely(cached == NULL)) { + spin_unlock(&nsm_lock); + dprintk("lockd: never saw rebooted peer '%.*s' before\n", +diff --git a/fs/lockd/netns.h b/fs/lockd/netns.h +index 5010b55628b4..414da99744e9 100644 +--- a/fs/lockd/netns.h ++++ b/fs/lockd/netns.h +@@ -16,6 +16,7 @@ struct lockd_net { + spinlock_t nsm_clnt_lock; + unsigned int nsm_users; + struct rpc_clnt *nsm_clnt; ++ struct list_head nsm_handles; + }; + + extern int lockd_net_id; +diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c +index 59a53f664005..bb1ad4df024d 100644 +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -583,6 +583,7 @@ static int lockd_init_net(struct net *net) + INIT_DELAYED_WORK(&ln->grace_period_end, grace_ender); + INIT_LIST_HEAD(&ln->grace_list); + spin_lock_init(&ln->nsm_clnt_lock); ++ INIT_LIST_HEAD(&ln->nsm_handles); + return 0; + } + +diff --git a/fs/lockd/svc4proc.c b/fs/lockd/svc4proc.c +index b147d1ae71fd..09c576f26c7b 100644 +--- a/fs/lockd/svc4proc.c ++++ b/fs/lockd/svc4proc.c +@@ -421,7 +421,7 @@ nlm4svc_proc_sm_notify(struct svc_rqst *rqstp, struct nlm_reboot *argp, + return rpc_system_err; + } + +- nlm_host_rebooted(argp); ++ nlm_host_rebooted(SVC_NET(rqstp), argp); + return rpc_success; + } + +diff --git a/fs/lockd/svcproc.c b/fs/lockd/svcproc.c +index 21171f0c6477..fb26b9f522e7 100644 +--- a/fs/lockd/svcproc.c ++++ b/fs/lockd/svcproc.c +@@ -464,7 +464,7 @@ nlmsvc_proc_sm_notify(struct svc_rqst *rqstp, struct nlm_reboot *argp, + return rpc_system_err; + } + +- nlm_host_rebooted(argp); ++ nlm_host_rebooted(SVC_NET(rqstp), argp); + return rpc_success; + } + +diff --git a/fs/namei.c b/fs/namei.c +index f4f6460b6958..c24781f07cf3 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3085,6 +3085,10 @@ opened: + goto exit_fput; + } + out: ++ if (unlikely(error > 0)) { ++ WARN_ON(1); ++ error = -EINVAL; ++ } + if (got_write) + mnt_drop_write(nd->path.mnt); + path_put(&save_parent); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 45a7dd36b4a6..3b5e86fd2800 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2187,9 +2187,9 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + dentry = d_add_unique(dentry, igrab(state->inode)); + if (dentry == NULL) { + dentry = opendata->dentry; +- } else if (dentry != ctx->dentry) { ++ } else { + dput(ctx->dentry); +- ctx->dentry = dget(dentry); ++ ctx->dentry = dentry; + } + nfs_set_verifier(dentry, + nfs_save_change_attribute(opendata->dir->d_inode)); +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index c402b672a474..1c02b300dc5d 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1482,7 +1482,7 @@ restart: + spin_unlock(&state->state_lock); + } + nfs4_put_open_state(state); +- clear_bit(NFS4CLNT_RECLAIM_NOGRACE, ++ clear_bit(NFS_STATE_RECLAIM_NOGRACE, + &state->flags); + spin_lock(&sp->so_lock); + goto restart; +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index eaa7374305a3..6b1d8498d208 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -165,7 +165,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) + if (!priv->task) + return ERR_PTR(-ESRCH); + +- mm = mm_access(priv->task, PTRACE_MODE_READ); ++ mm = mm_access(priv->task, PTRACE_MODE_READ_FSCREDS); + if (!mm || IS_ERR(mm)) + return mm; + down_read(&mm->mmap_sem); +@@ -1182,7 +1182,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, + if (!pm.buffer) + goto out_task; + +- mm = mm_access(task, PTRACE_MODE_READ); ++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); + ret = PTR_ERR(mm); + if (!mm || IS_ERR(mm)) + goto out_free; +diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c +index 678455d2d683..f9db7e9f6966 100644 +--- a/fs/proc/task_nommu.c ++++ b/fs/proc/task_nommu.c +@@ -216,7 +216,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) + if (!priv->task) + return ERR_PTR(-ESRCH); + +- mm = mm_access(priv->task, PTRACE_MODE_READ); ++ mm = mm_access(priv->task, PTRACE_MODE_READ_FSCREDS); + if (!mm || IS_ERR(mm)) { + put_task_struct(priv->task); + priv->task = NULL; +diff --git a/fs/splice.c b/fs/splice.c +index f345d53f94da..e64f59960ec5 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -949,6 +949,7 @@ ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd, + + splice_from_pipe_begin(sd); + do { ++ cond_resched(); + ret = splice_from_pipe_next(pipe, sd); + if (ret > 0) + ret = splice_from_pipe_feed(pipe, sd, actor); +@@ -1175,7 +1176,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, + long ret, bytes; + umode_t i_mode; + size_t len; +- int i, flags; ++ int i, flags, more; + + /* + * We require the input being a regular file, as we don't want to +@@ -1218,6 +1219,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, + * Don't block on output, we have to drain the direct pipe. + */ + sd->flags &= ~SPLICE_F_NONBLOCK; ++ more = sd->flags & SPLICE_F_MORE; + + while (len) { + size_t read_len; +@@ -1231,6 +1233,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, + sd->total_len = read_len; + + /* ++ * If more data is pending, set SPLICE_F_MORE ++ * If this is the last data and SPLICE_F_MORE was not set ++ * initially, clears it. ++ */ ++ if (read_len < len) ++ sd->flags |= SPLICE_F_MORE; ++ else if (!more) ++ sd->flags &= ~SPLICE_F_MORE; ++ /* + * NOTE: nonblocking mode only applies to the input. We + * must not do the output in nonblocking mode as then we + * could get stuck data in the internal pipe: +diff --git a/include/asm-generic/cputime_nsecs.h b/include/asm-generic/cputime_nsecs.h +index 2c9e62c2bfd0..f55fb04501ec 100644 +--- a/include/asm-generic/cputime_nsecs.h ++++ b/include/asm-generic/cputime_nsecs.h +@@ -70,7 +70,7 @@ typedef u64 __nocast cputime64_t; + */ + static inline cputime_t timespec_to_cputime(const struct timespec *val) + { +- u64 ret = val->tv_sec * NSEC_PER_SEC + val->tv_nsec; ++ u64 ret = (u64)val->tv_sec * NSEC_PER_SEC + val->tv_nsec; + return (__force cputime_t) ret; + } + static inline void cputime_to_timespec(const cputime_t ct, struct timespec *val) +@@ -86,7 +86,8 @@ static inline void cputime_to_timespec(const cputime_t ct, struct timespec *val) + */ + static inline cputime_t timeval_to_cputime(const struct timeval *val) + { +- u64 ret = val->tv_sec * NSEC_PER_SEC + val->tv_usec * NSEC_PER_USEC; ++ u64 ret = (u64)val->tv_sec * NSEC_PER_SEC + ++ val->tv_usec * NSEC_PER_USEC; + return (__force cputime_t) ret; + } + static inline void cputime_to_timeval(const cputime_t ct, struct timeval *val) +diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h +index 9a33c5f7e126..f6c229e2bffa 100644 +--- a/include/linux/enclosure.h ++++ b/include/linux/enclosure.h +@@ -29,7 +29,11 @@ + /* A few generic types ... taken from ses-2 */ + enum enclosure_component_type { + ENCLOSURE_COMPONENT_DEVICE = 0x01, ++ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, ++ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, ++ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, + ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, ++ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, + }; + + /* ses-2 common element status */ +diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/lockd.h +index dcaad79f54ed..0adf073f13b3 100644 +--- a/include/linux/lockd/lockd.h ++++ b/include/linux/lockd/lockd.h +@@ -236,7 +236,8 @@ void nlm_rebind_host(struct nlm_host *); + struct nlm_host * nlm_get_host(struct nlm_host *); + void nlm_shutdown_hosts(void); + void nlm_shutdown_hosts_net(struct net *net); +-void nlm_host_rebooted(const struct nlm_reboot *); ++void nlm_host_rebooted(const struct net *net, ++ const struct nlm_reboot *); + + /* + * Host monitoring +@@ -244,11 +245,13 @@ void nlm_host_rebooted(const struct nlm_reboot *); + int nsm_monitor(const struct nlm_host *host); + void nsm_unmonitor(const struct nlm_host *host); + +-struct nsm_handle *nsm_get_handle(const struct sockaddr *sap, ++struct nsm_handle *nsm_get_handle(const struct net *net, ++ const struct sockaddr *sap, + const size_t salen, + const char *hostname, + const size_t hostname_len); +-struct nsm_handle *nsm_reboot_lookup(const struct nlm_reboot *info); ++struct nsm_handle *nsm_reboot_lookup(const struct net *net, ++ const struct nlm_reboot *info); + void nsm_release(struct nsm_handle *nsm); + + /* +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index 0ae5807480f4..1e122cc9ea3e 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -580,9 +580,7 @@ static inline int nfs3_proc_setacls(struct inode *inode, struct posix_acl *acl, + + static inline loff_t nfs_size_to_loff_t(__u64 size) + { +- if (size > (__u64) OFFSET_MAX - 1) +- return OFFSET_MAX - 1; +- return (loff_t) size; ++ return min_t(u64, size, OFFSET_MAX); + } + + static inline ino_t +diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h +index 7159a0a933df..97c8689c7e51 100644 +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -14,8 +14,11 @@ + * See the file COPYING for more details. + */ + ++#include + #include + #include ++#include ++#include + #include + #include + +@@ -126,6 +129,9 @@ static inline void tracepoint_synchronize_unregister(void) + void *it_func; \ + void *__data; \ + \ ++ if (!cpu_online(raw_smp_processor_id())) \ ++ return; \ ++ \ + if (!(cond)) \ + return; \ + prercu; \ +diff --git a/include/net/af_unix.h b/include/net/af_unix.h +index e830c3dff61a..7bb69c9c3c43 100644 +--- a/include/net/af_unix.h ++++ b/include/net/af_unix.h +@@ -6,8 +6,8 @@ + #include + #include + +-void unix_inflight(struct file *fp); +-void unix_notinflight(struct file *fp); ++void unix_inflight(struct user_struct *user, struct file *fp); ++void unix_notinflight(struct user_struct *user, struct file *fp); + void unix_gc(void); + void wait_for_unix_gc(void); + struct sock *unix_get_socket(struct file *filp); +diff --git a/include/net/scm.h b/include/net/scm.h +index 262532d111f5..59fa93c01d2a 100644 +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -21,6 +21,7 @@ struct scm_creds { + struct scm_fp_list { + short count; + short max; ++ struct user_struct *user; + struct file *fp[SCM_MAX_FD]; + }; + +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index e4b9e011d2a1..42606764d830 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -513,7 +513,7 @@ struct se_cmd { + sense_reason_t (*execute_cmd)(struct se_cmd *); + sense_reason_t (*execute_rw)(struct se_cmd *, struct scatterlist *, + u32, enum dma_data_direction); +- sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool); ++ sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool, int *); + + unsigned char *t_task_cdb; + unsigned char __t_task_cdb[TCM_MAX_COMMAND_SIZE]; +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index ebb8a9e937fa..2c2e5e70e4f3 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1230,6 +1230,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) + if (!desc) + return NULL; + ++ chip_bus_lock(desc); + raw_spin_lock_irqsave(&desc->lock, flags); + + /* +@@ -1243,7 +1244,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) + if (!action) { + WARN(1, "Trying to free already-free IRQ %d\n", irq); + raw_spin_unlock_irqrestore(&desc->lock, flags); +- ++ chip_bus_sync_unlock(desc); + return NULL; + } + +@@ -1266,6 +1267,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) + #endif + + raw_spin_unlock_irqrestore(&desc->lock, flags); ++ chip_bus_sync_unlock(desc); + + unregister_handler_proc(irq, action); + +@@ -1339,9 +1341,7 @@ void free_irq(unsigned int irq, void *dev_id) + desc->affinity_notify = NULL; + #endif + +- chip_bus_lock(desc); + kfree(__free_irq(irq, dev_id)); +- chip_bus_sync_unlock(desc); + } + EXPORT_SYMBOL(free_irq); + +diff --git a/kernel/resource.c b/kernel/resource.c +index 3f285dce9347..449282e48bb1 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -961,9 +961,10 @@ struct resource * __request_region(struct resource *parent, + if (!conflict) + break; + if (conflict != parent) { +- parent = conflict; +- if (!(conflict->flags & IORESOURCE_BUSY)) ++ if (!(conflict->flags & IORESOURCE_BUSY)) { ++ parent = conflict; + continue; ++ } + } + if (conflict->flags & flags & IORESOURCE_MUXED) { + add_wait_queue(&muxed_resource_wait, &wait); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index bbe957762ace..46afc8cd69dd 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -937,6 +937,13 @@ inline int task_curr(const struct task_struct *p) + return cpu_curr(task_cpu(p)) == p; + } + ++/* ++ * switched_from, switched_to and prio_changed must _NOT_ drop rq->lock, ++ * use the balance_callback list if you want balancing. ++ * ++ * this means any call to check_class_changed() must be followed by a call to ++ * balance_callback(). ++ */ + static inline void check_class_changed(struct rq *rq, struct task_struct *p, + const struct sched_class *prev_class, + int oldprio) +@@ -1423,8 +1430,12 @@ ttwu_do_wakeup(struct rq *rq, struct task_struct *p, int wake_flags) + + p->state = TASK_RUNNING; + #ifdef CONFIG_SMP +- if (p->sched_class->task_woken) ++ if (p->sched_class->task_woken) { ++ /* ++ * XXX can drop rq->lock; most likely ok. ++ */ + p->sched_class->task_woken(rq, p); ++ } + + if (rq->idle_stamp) { + u64 delta = rq_clock(rq) - rq->idle_stamp; +@@ -1685,7 +1696,6 @@ out: + */ + int wake_up_process(struct task_struct *p) + { +- WARN_ON(task_is_stopped_or_traced(p)); + return try_to_wake_up(p, TASK_NORMAL, 0); + } + EXPORT_SYMBOL(wake_up_process); +@@ -2179,18 +2189,30 @@ static inline void pre_schedule(struct rq *rq, struct task_struct *prev) + } + + /* rq->lock is NOT held, but preemption is disabled */ +-static inline void post_schedule(struct rq *rq) ++static void __balance_callback(struct rq *rq) + { +- if (rq->post_schedule) { +- unsigned long flags; ++ struct callback_head *head, *next; ++ void (*func)(struct rq *rq); ++ unsigned long flags; + +- raw_spin_lock_irqsave(&rq->lock, flags); +- if (rq->curr->sched_class->post_schedule) +- rq->curr->sched_class->post_schedule(rq); +- raw_spin_unlock_irqrestore(&rq->lock, flags); ++ raw_spin_lock_irqsave(&rq->lock, flags); ++ head = rq->balance_callback; ++ rq->balance_callback = NULL; ++ while (head) { ++ func = (void (*)(struct rq *))head->func; ++ next = head->next; ++ head->next = NULL; ++ head = next; + +- rq->post_schedule = 0; ++ func(rq); + } ++ raw_spin_unlock_irqrestore(&rq->lock, flags); ++} ++ ++static inline void balance_callback(struct rq *rq) ++{ ++ if (unlikely(rq->balance_callback)) ++ __balance_callback(rq); + } + + #else +@@ -2199,7 +2221,7 @@ static inline void pre_schedule(struct rq *rq, struct task_struct *p) + { + } + +-static inline void post_schedule(struct rq *rq) ++static inline void balance_callback(struct rq *rq) + { + } + +@@ -2220,7 +2242,7 @@ asmlinkage void schedule_tail(struct task_struct *prev) + * FIXME: do we need to worry about rq being invalidated by the + * task_switch? + */ +- post_schedule(rq); ++ balance_callback(rq); + + #ifdef __ARCH_WANT_UNLOCKED_CTXSW + /* In this case, finish_task_switch does not reenable preemption */ +@@ -2732,7 +2754,7 @@ need_resched: + } else + raw_spin_unlock_irq(&rq->lock); + +- post_schedule(rq); ++ balance_callback(rq); + + sched_preempt_enable_no_resched(); + if (need_resched()) +@@ -2994,7 +3016,11 @@ void rt_mutex_setprio(struct task_struct *p, int prio) + + check_class_changed(rq, p, prev_class, oldprio); + out_unlock: ++ preempt_disable(); /* avoid rq from going away on us */ + __task_rq_unlock(rq); ++ ++ balance_callback(rq); ++ preempt_enable(); + } + #endif + +@@ -3500,10 +3526,17 @@ change: + enqueue_task(rq, p, 0); + + check_class_changed(rq, p, prev_class, oldprio); ++ preempt_disable(); /* avoid rq from going away on us */ + task_rq_unlock(rq, p, &flags); + + rt_mutex_adjust_pi(p); + ++ /* ++ * Run balance callbacks after we've adjusted the PI chain. ++ */ ++ balance_callback(rq); ++ preempt_enable(); ++ + return 0; + } + +@@ -5386,13 +5419,13 @@ static int init_rootdomain(struct root_domain *rd) + { + memset(rd, 0, sizeof(*rd)); + +- if (!alloc_cpumask_var(&rd->span, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL)) + goto out; +- if (!alloc_cpumask_var(&rd->online, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL)) + goto free_span; +- if (!alloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL)) + goto free_online; +- if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) + goto free_dlo_mask; + + init_dl_bw(&rd->dl_bw); +@@ -6902,7 +6935,7 @@ void __init sched_init(void) + rq->sd = NULL; + rq->rd = NULL; + rq->cpu_power = SCHED_POWER_SCALE; +- rq->post_schedule = 0; ++ rq->balance_callback = NULL; + rq->active_balance = 0; + rq->next_balance = jiffies; + rq->push_cpu = 0; +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 8d3c5ddfdfdd..6ab59bb2947b 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -210,6 +210,25 @@ static inline int has_pushable_dl_tasks(struct rq *rq) + + static int push_dl_task(struct rq *rq); + ++static DEFINE_PER_CPU(struct callback_head, dl_push_head); ++static DEFINE_PER_CPU(struct callback_head, dl_pull_head); ++ ++static void push_dl_tasks(struct rq *); ++static void pull_dl_task(struct rq *); ++ ++static inline void queue_push_tasks(struct rq *rq) ++{ ++ if (!has_pushable_dl_tasks(rq)) ++ return; ++ ++ queue_balance_callback(rq, &per_cpu(dl_push_head, rq->cpu), push_dl_tasks); ++} ++ ++static inline void queue_pull_task(struct rq *rq) ++{ ++ queue_balance_callback(rq, &per_cpu(dl_pull_head, rq->cpu), pull_dl_task); ++} ++ + #else + + static inline +@@ -232,6 +251,13 @@ void dec_dl_migration(struct sched_dl_entity *dl_se, struct dl_rq *dl_rq) + { + } + ++static inline void queue_push_tasks(struct rq *rq) ++{ ++} ++ ++static inline void queue_pull_task(struct rq *rq) ++{ ++} + #endif /* CONFIG_SMP */ + + static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags); +@@ -1005,7 +1031,7 @@ struct task_struct *pick_next_task_dl(struct rq *rq) + #endif + + #ifdef CONFIG_SMP +- rq->post_schedule = has_pushable_dl_tasks(rq); ++ queue_push_tasks(rq); + #endif /* CONFIG_SMP */ + + return p; +@@ -1336,15 +1362,16 @@ static void push_dl_tasks(struct rq *rq) + ; + } + +-static int pull_dl_task(struct rq *this_rq) ++static void pull_dl_task(struct rq *this_rq) + { +- int this_cpu = this_rq->cpu, ret = 0, cpu; ++ int this_cpu = this_rq->cpu, cpu; + struct task_struct *p; ++ bool resched = false; + struct rq *src_rq; + u64 dmin = LONG_MAX; + + if (likely(!dl_overloaded(this_rq))) +- return 0; ++ return; + + /* + * Match the barrier from dl_set_overloaded; this guarantees that if we +@@ -1399,7 +1426,7 @@ static int pull_dl_task(struct rq *this_rq) + src_rq->curr->dl.deadline)) + goto skip; + +- ret = 1; ++ resched = true; + + deactivate_task(src_rq, p, 0); + set_task_cpu(p, this_cpu); +@@ -1412,7 +1439,8 @@ skip: + double_unlock_balance(this_rq, src_rq); + } + +- return ret; ++ if (resched) ++ resched_task(this_rq->curr); + } + + static void pre_schedule_dl(struct rq *rq, struct task_struct *prev) +@@ -1422,11 +1450,6 @@ static void pre_schedule_dl(struct rq *rq, struct task_struct *prev) + pull_dl_task(rq); + } + +-static void post_schedule_dl(struct rq *rq) +-{ +- push_dl_tasks(rq); +-} +- + /* + * Since the task is not running and a reschedule is not going to happen + * anytime soon on its runqueue, we try pushing it away now. +@@ -1529,7 +1552,7 @@ static void switched_from_dl(struct rq *rq, struct task_struct *p) + * from an overloaded cpu, if any. + */ + if (!rq->dl.dl_nr_running) +- pull_dl_task(rq); ++ queue_pull_task(rq); + #endif + } + +@@ -1539,8 +1562,6 @@ static void switched_from_dl(struct rq *rq, struct task_struct *p) + */ + static void switched_to_dl(struct rq *rq, struct task_struct *p) + { +- int check_resched = 1; +- + /* + * If p is throttled, don't consider the possibility + * of preempting rq->curr, the check will be done right +@@ -1551,12 +1572,12 @@ static void switched_to_dl(struct rq *rq, struct task_struct *p) + + if (p->on_rq || rq->curr != p) { + #ifdef CONFIG_SMP +- if (rq->dl.overloaded && push_dl_task(rq) && rq != task_rq(p)) +- /* Only reschedule if pushing failed */ +- check_resched = 0; +-#endif /* CONFIG_SMP */ +- if (check_resched && task_has_dl_policy(rq->curr)) ++ if (rq->dl.overloaded) ++ queue_push_tasks(rq); ++#else ++ if (task_has_dl_policy(rq->curr)) + check_preempt_curr_dl(rq, p, 0); ++#endif /* CONFIG_SMP */ + } + } + +@@ -1576,15 +1597,14 @@ static void prio_changed_dl(struct rq *rq, struct task_struct *p, + * or lowering its prio, so... + */ + if (!rq->dl.overloaded) +- pull_dl_task(rq); ++ queue_pull_task(rq); + + /* + * If we now have a earlier deadline task than p, + * then reschedule, provided p is still on this + * runqueue. + */ +- if (dl_time_before(rq->dl.earliest_dl.curr, p->dl.deadline) && +- rq->curr == p) ++ if (dl_time_before(rq->dl.earliest_dl.curr, p->dl.deadline)) + resched_task(p); + #else + /* +@@ -1615,7 +1635,6 @@ const struct sched_class dl_sched_class = { + .rq_online = rq_online_dl, + .rq_offline = rq_offline_dl, + .pre_schedule = pre_schedule_dl, +- .post_schedule = post_schedule_dl, + .task_woken = task_woken_dl, + #endif + +diff --git a/kernel/sched/idle_task.c b/kernel/sched/idle_task.c +index 516c3d9ceea1..d08678d38d12 100644 +--- a/kernel/sched/idle_task.c ++++ b/kernel/sched/idle_task.c +@@ -19,11 +19,6 @@ static void pre_schedule_idle(struct rq *rq, struct task_struct *prev) + idle_exit_fair(rq); + rq_last_tick_reset(rq); + } +- +-static void post_schedule_idle(struct rq *rq) +-{ +- idle_enter_fair(rq); +-} + #endif /* CONFIG_SMP */ + /* + * Idle tasks are unconditionally rescheduled: +@@ -37,8 +32,7 @@ static struct task_struct *pick_next_task_idle(struct rq *rq) + { + schedstat_inc(rq, sched_goidle); + #ifdef CONFIG_SMP +- /* Trigger the post schedule to do an idle_enter for CFS */ +- rq->post_schedule = 1; ++ idle_enter_fair(rq); + #endif + return rq->idle; + } +@@ -102,7 +96,6 @@ const struct sched_class idle_sched_class = { + #ifdef CONFIG_SMP + .select_task_rq = select_task_rq_idle, + .pre_schedule = pre_schedule_idle, +- .post_schedule = post_schedule_idle, + #endif + + .set_curr_task = set_curr_task_idle, +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index 27b8e836307f..0fb72ae876e7 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -315,6 +315,25 @@ static inline int has_pushable_tasks(struct rq *rq) + return !plist_head_empty(&rq->rt.pushable_tasks); + } + ++static DEFINE_PER_CPU(struct callback_head, rt_push_head); ++static DEFINE_PER_CPU(struct callback_head, rt_pull_head); ++ ++static void push_rt_tasks(struct rq *); ++static void pull_rt_task(struct rq *); ++ ++static inline void queue_push_tasks(struct rq *rq) ++{ ++ if (!has_pushable_tasks(rq)) ++ return; ++ ++ queue_balance_callback(rq, &per_cpu(rt_push_head, rq->cpu), push_rt_tasks); ++} ++ ++static inline void queue_pull_task(struct rq *rq) ++{ ++ queue_balance_callback(rq, &per_cpu(rt_pull_head, rq->cpu), pull_rt_task); ++} ++ + static void enqueue_pushable_task(struct rq *rq, struct task_struct *p) + { + plist_del(&p->pushable_tasks, &rq->rt.pushable_tasks); +@@ -359,6 +378,9 @@ void dec_rt_migration(struct sched_rt_entity *rt_se, struct rt_rq *rt_rq) + { + } + ++static inline void queue_push_tasks(struct rq *rq) ++{ ++} + #endif /* CONFIG_SMP */ + + static inline int on_rt_rq(struct sched_rt_entity *rt_se) +@@ -1349,11 +1371,7 @@ static struct task_struct *pick_next_task_rt(struct rq *rq) + dequeue_pushable_task(rq, p); + + #ifdef CONFIG_SMP +- /* +- * We detect this state here so that we can avoid taking the RQ +- * lock again later if there is no need to push +- */ +- rq->post_schedule = has_pushable_tasks(rq); ++ queue_push_tasks(rq); + #endif + + return p; +@@ -1641,14 +1659,15 @@ static void push_rt_tasks(struct rq *rq) + ; + } + +-static int pull_rt_task(struct rq *this_rq) ++static void pull_rt_task(struct rq *this_rq) + { +- int this_cpu = this_rq->cpu, ret = 0, cpu; ++ int this_cpu = this_rq->cpu, cpu; ++ bool resched = false; + struct task_struct *p; + struct rq *src_rq; + + if (likely(!rt_overloaded(this_rq))) +- return 0; ++ return; + + /* + * Match the barrier from rt_set_overloaded; this guarantees that if we +@@ -1705,7 +1724,7 @@ static int pull_rt_task(struct rq *this_rq) + if (p->prio < src_rq->curr->prio) + goto skip; + +- ret = 1; ++ resched = true; + + deactivate_task(src_rq, p, 0); + set_task_cpu(p, this_cpu); +@@ -1721,7 +1740,8 @@ skip: + double_unlock_balance(this_rq, src_rq); + } + +- return ret; ++ if (resched) ++ resched_task(this_rq->curr); + } + + static void pre_schedule_rt(struct rq *rq, struct task_struct *prev) +@@ -1731,11 +1751,6 @@ static void pre_schedule_rt(struct rq *rq, struct task_struct *prev) + pull_rt_task(rq); + } + +-static void post_schedule_rt(struct rq *rq) +-{ +- push_rt_tasks(rq); +-} +- + /* + * If we are not running and we are not going to reschedule soon, we should + * try to push tasks away now +@@ -1829,8 +1844,7 @@ static void switched_from_rt(struct rq *rq, struct task_struct *p) + if (!p->on_rq || rq->rt.rt_nr_running) + return; + +- if (pull_rt_task(rq)) +- resched_task(rq->curr); ++ queue_pull_task(rq); + } + + void init_sched_rt_class(void) +@@ -1851,8 +1865,6 @@ void init_sched_rt_class(void) + */ + static void switched_to_rt(struct rq *rq, struct task_struct *p) + { +- int check_resched = 1; +- + /* + * If we are already running, then there's nothing + * that needs to be done. But if we are not running +@@ -1862,13 +1874,12 @@ static void switched_to_rt(struct rq *rq, struct task_struct *p) + */ + if (p->on_rq && rq->curr != p) { + #ifdef CONFIG_SMP +- if (rq->rt.overloaded && push_rt_task(rq) && +- /* Don't resched if we changed runqueues */ +- rq != task_rq(p)) +- check_resched = 0; +-#endif /* CONFIG_SMP */ +- if (check_resched && p->prio < rq->curr->prio) ++ if (rq->rt.overloaded) ++ queue_push_tasks(rq); ++#else ++ if (p->prio < rq->curr->prio) + resched_task(rq->curr); ++#endif /* CONFIG_SMP */ + } + } + +@@ -1889,14 +1900,13 @@ prio_changed_rt(struct rq *rq, struct task_struct *p, int oldprio) + * may need to pull tasks to this runqueue. + */ + if (oldprio < p->prio) +- pull_rt_task(rq); ++ queue_pull_task(rq); ++ + /* + * If there's a higher priority task waiting to run +- * then reschedule. Note, the above pull_rt_task +- * can release the rq lock and p could migrate. +- * Only reschedule if p is still on the same runqueue. ++ * then reschedule. + */ +- if (p->prio > rq->rt.highest_prio.curr && rq->curr == p) ++ if (p->prio > rq->rt.highest_prio.curr) + resched_task(p); + #else + /* For UP simply resched on drop of prio */ +@@ -2008,7 +2018,6 @@ const struct sched_class rt_sched_class = { + .rq_online = rq_online_rt, + .rq_offline = rq_offline_rt, + .pre_schedule = pre_schedule_rt, +- .post_schedule = post_schedule_rt, + .task_woken = task_woken_rt, + .switched_from = switched_from_rt, + #endif +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 835b6efa8bd6..675e147a86f2 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -587,9 +587,10 @@ struct rq { + + unsigned long cpu_power; + ++ struct callback_head *balance_callback; ++ + unsigned char idle_balance; + /* For active balancing */ +- int post_schedule; + int active_balance; + int push_cpu; + struct cpu_stop_work active_balance_work; +@@ -690,6 +691,21 @@ extern int migrate_swap(struct task_struct *, struct task_struct *); + + #ifdef CONFIG_SMP + ++static inline void ++queue_balance_callback(struct rq *rq, ++ struct callback_head *head, ++ void (*func)(struct rq *rq)) ++{ ++ lockdep_assert_held(&rq->lock); ++ ++ if (unlikely(head->next)) ++ return; ++ ++ head->func = (void (*)(struct callback_head *))func; ++ head->next = rq->balance_callback; ++ rq->balance_callback = head; ++} ++ + #define rcu_dereference_check_sched_domain(p) \ + rcu_dereference_check((p), \ + lockdep_is_held(&sched_domains_mutex)) +@@ -1131,7 +1147,6 @@ struct sched_class { + void (*migrate_task_rq)(struct task_struct *p, int next_cpu); + + void (*pre_schedule) (struct rq *this_rq, struct task_struct *task); +- void (*post_schedule) (struct rq *this_rq); + void (*task_waking) (struct task_struct *task); + void (*task_woken) (struct rq *this_rq, struct task_struct *task); + +diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c +index ce033c7aa2e8..9cff0ab82b63 100644 +--- a/kernel/time/posix-clock.c ++++ b/kernel/time/posix-clock.c +@@ -69,10 +69,10 @@ static ssize_t posix_clock_read(struct file *fp, char __user *buf, + static unsigned int posix_clock_poll(struct file *fp, poll_table *wait) + { + struct posix_clock *clk = get_posix_clock(fp); +- int result = 0; ++ unsigned int result = 0; + + if (!clk) +- return -ENODEV; ++ return POLLERR; + + if (clk->ops.poll) + result = clk->ops.poll(clk, fp, wait); +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index da41de9dc319..c798ed2fc281 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1949,12 +1949,6 @@ rb_set_commit_to_write(struct ring_buffer_per_cpu *cpu_buffer) + goto again; + } + +-static void rb_reset_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +-{ +- cpu_buffer->read_stamp = cpu_buffer->reader_page->page->time_stamp; +- cpu_buffer->reader_page->read = 0; +-} +- + static void rb_inc_iter(struct ring_buffer_iter *iter) + { + struct ring_buffer_per_cpu *cpu_buffer = iter->cpu_buffer; +@@ -3592,7 +3586,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) + + /* Finally update the reader page to the new head */ + cpu_buffer->reader_page = reader; +- rb_reset_reader_page(cpu_buffer); ++ cpu_buffer->reader_page->read = 0; + + if (overwrite != cpu_buffer->last_overrun) { + cpu_buffer->lost_events = overwrite - cpu_buffer->last_overrun; +@@ -3602,6 +3596,10 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) + goto again; + + out: ++ /* Update the read_stamp on the first event */ ++ if (reader && reader->read == 0) ++ cpu_buffer->read_stamp = reader->page->time_stamp; ++ + arch_spin_unlock(&cpu_buffer->lock); + local_irq_restore(flags); + +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index c6646a58d23e..bb1ac9cbe30a 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -606,7 +606,8 @@ t_next(struct seq_file *m, void *v, loff_t *pos) + * The ftrace subsystem is for showing formats only. + * They can not be enabled or disabled via the event files. + */ +- if (call->class && call->class->reg) ++ if (call->class && call->class->reg && ++ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) + return file; + } + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 646a8b81bee1..423c9e37a9e7 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -1475,13 +1475,13 @@ static void __queue_delayed_work(int cpu, struct workqueue_struct *wq, + timer_stats_timer_set_start_info(&dwork->timer); + + dwork->wq = wq; +- /* timer isn't guaranteed to run in this cpu, record earlier */ +- if (cpu == WORK_CPU_UNBOUND) +- cpu = raw_smp_processor_id(); + dwork->cpu = cpu; + timer->expires = jiffies + delay; + +- add_timer_on(timer, cpu); ++ if (unlikely(cpu != WORK_CPU_UNBOUND)) ++ add_timer_on(timer, cpu); ++ else ++ add_timer(timer); + } + + /** +diff --git a/lib/devres.c b/lib/devres.c +index 823533138fa0..20afaf181b27 100644 +--- a/lib/devres.c ++++ b/lib/devres.c +@@ -423,7 +423,7 @@ void pcim_iounmap_regions(struct pci_dev *pdev, int mask) + if (!iomap) + return; + +- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) { ++ for (i = 0; i < PCIM_IOMAP_MAX; i++) { + if (!(mask & (1 << i))) + continue; + +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 2e87eecec8f6..04dd542697a7 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2279,7 +2279,7 @@ static int read_partial_message(struct ceph_connection *con) + con->in_base_pos = -front_len - middle_len - data_len - + sizeof(m->footer); + con->in_tag = CEPH_MSGR_TAG_READY; +- return 0; ++ return 1; + } else if ((s64)seq - (s64)con->in_seq > 1) { + pr_err("read_partial_message bad seq %lld expected %lld\n", + seq, con->in_seq + 1); +@@ -2312,7 +2312,7 @@ static int read_partial_message(struct ceph_connection *con) + sizeof(m->footer); + con->in_tag = CEPH_MSGR_TAG_READY; + con->in_seq++; +- return 0; ++ return 1; + } + + BUG_ON(!con->in_msg); +diff --git a/net/core/scm.c b/net/core/scm.c +index d30eb057fa7b..cad57a1390dd 100644 +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) + *fplp = fpl; + fpl->count = 0; + fpl->max = SCM_MAX_FD; ++ fpl->user = NULL; + } + fpp = &fpl->fp[fpl->count]; + +@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) + *fpp++ = file; + fpl->count++; + } ++ ++ if (!fpl->user) ++ fpl->user = get_uid(current_user()); ++ + return num; + } + +@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm) + scm->fp = NULL; + for (i=fpl->count-1; i>=0; i--) + fput(fpl->fp[i]); ++ free_uid(fpl->user); + kfree(fpl); + } + } +@@ -337,6 +343,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) + for (i = 0; i < fpl->count; i++) + get_file(fpl->fp[i]); + new_fpl->max = new_fpl->count; ++ new_fpl->user = get_uid(fpl->user); + } + return new_fpl; + } +diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c +index c49dcd0284a0..56dd8ac6d28b 100644 +--- a/net/ipv4/netfilter/ipt_rpfilter.c ++++ b/net/ipv4/netfilter/ipt_rpfilter.c +@@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4, + if (FIB_RES_DEV(res) == dev) + dev_match = true; + #endif +- if (dev_match || flags & XT_RPFILTER_LOOSE) +- return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST; +- return dev_match; ++ return dev_match || flags & XT_RPFILTER_LOOSE; + } + + static bool rpfilter_is_local(const struct sk_buff *skb) +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 3f0ec063d7f8..7b74fca4d850 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -4793,6 +4793,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, + return ret; + } + ++static ++int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ struct inet6_dev *idev = ctl->extra1; ++ int min_mtu = IPV6_MIN_MTU; ++ struct ctl_table lctl; ++ ++ lctl = *ctl; ++ lctl.extra1 = &min_mtu; ++ lctl.extra2 = idev ? &idev->dev->mtu : NULL; ++ ++ return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos); ++} ++ + static void dev_disable_change(struct inet6_dev *idev) + { + struct netdev_notifier_info info; +@@ -4944,7 +4959,7 @@ static struct addrconf_sysctl_table + .data = &ipv6_devconf.mtu6, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = addrconf_sysctl_mtu, + }, + { + .procname = "accept_ra", +diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c +index a0d17270117c..bd174540eb21 100644 +--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c ++++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c +@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr, + } + + static void +-synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb, ++synproxy_send_tcp(const struct synproxy_net *snet, ++ const struct sk_buff *skb, struct sk_buff *nskb, + struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo, + struct ipv6hdr *niph, struct tcphdr *nth, + unsigned int tcp_hdr_size) + { +- struct net *net = nf_ct_net((struct nf_conn *)nfct); ++ struct net *net = nf_ct_net(snet->tmpl); + struct dst_entry *dst; + struct flowi6 fl6; + +@@ -83,7 +84,8 @@ free_nskb: + } + + static void +-synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th, ++synproxy_send_client_synack(const struct synproxy_net *snet, ++ const struct sk_buff *skb, const struct tcphdr *th, + const struct synproxy_options *opts) + { + struct sk_buff *nskb; +@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th, + + synproxy_build_options(nth, opts); + +- synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, ++ synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, + niph, nth, tcp_hdr_size); + } + +@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet, + + synproxy_build_options(nth, opts); + +- synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW, ++ synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW, + niph, nth, tcp_hdr_size); + } + +@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet, + + synproxy_build_options(nth, opts); + +- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); ++ synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); + } + + static void +@@ -241,7 +243,7 @@ synproxy_send_client_ack(const struct synproxy_net *snet, + + synproxy_build_options(nth, opts); + +- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); ++ synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); + } + + static bool +@@ -301,7 +303,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) + XT_SYNPROXY_OPT_SACK_PERM | + XT_SYNPROXY_OPT_ECN); + +- synproxy_send_client_synack(skb, th, &opts); ++ synproxy_send_client_synack(snet, skb, th, &opts); + return NF_DROP; + + } else if (th->ack && !(th->fin || th->rst || th->syn)) { +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 7d050ed6fe5a..6d28bd434ce8 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -746,10 +746,8 @@ void mesh_plink_broken(struct sta_info *sta) + static void mesh_path_node_reclaim(struct rcu_head *rp) + { + struct mpath_node *node = container_of(rp, struct mpath_node, rcu); +- struct ieee80211_sub_if_data *sdata = node->mpath->sdata; + + del_timer_sync(&node->mpath->timer); +- atomic_dec(&sdata->u.mesh.mpaths); + kfree(node->mpath); + kfree(node); + } +@@ -757,8 +755,9 @@ static void mesh_path_node_reclaim(struct rcu_head *rp) + /* needs to be called with the corresponding hashwlock taken */ + static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) + { +- struct mesh_path *mpath; +- mpath = node->mpath; ++ struct mesh_path *mpath = node->mpath; ++ struct ieee80211_sub_if_data *sdata = node->mpath->sdata; ++ + spin_lock(&mpath->state_lock); + mpath->flags |= MESH_PATH_RESOLVING; + if (mpath->is_gate) +@@ -766,6 +765,7 @@ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) + hlist_del_rcu(&node->list); + call_rcu(&node->rcu, mesh_path_node_reclaim); + spin_unlock(&mpath->state_lock); ++ atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); + } + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 99de2409f731..4e8d90b8fc01 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3316,9 +3316,9 @@ EXPORT_SYMBOL_GPL(nft_data_init); + */ + void nft_data_uninit(const struct nft_data *data, enum nft_data_types type) + { +- switch (type) { +- case NFT_DATA_VALUE: ++ if (type < NFT_DATA_VERDICT) + return; ++ switch (type) { + case NFT_DATA_VERDICT: + return nft_verdict_uninit(data); + default: +diff --git a/net/rds/send.c b/net/rds/send.c +index a82fb660ec00..44222c0607c7 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); +diff --git a/net/rfkill/core.c b/net/rfkill/core.c +index ed7e0b4e7f90..4b9dc2460772 100644 +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -49,7 +49,6 @@ + struct rfkill { + spinlock_t lock; + +- const char *name; + enum rfkill_type type; + + unsigned long state; +@@ -73,6 +72,7 @@ struct rfkill { + struct delayed_work poll_work; + struct work_struct uevent_work; + struct work_struct sync_work; ++ char name[]; + }; + #define to_rfkill(d) container_of(d, struct rfkill, dev) + +@@ -861,14 +861,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name, + if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES)) + return NULL; + +- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL); ++ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL); + if (!rfkill) + return NULL; + + spin_lock_init(&rfkill->lock); + INIT_LIST_HEAD(&rfkill->node); + rfkill->type = type; +- rfkill->name = name; ++ strcpy(rfkill->name, name); + rfkill->ops = ops; + rfkill->data = ops_data; + +@@ -1078,17 +1078,6 @@ static unsigned int rfkill_fop_poll(struct file *file, poll_table *wait) + return res; + } + +-static bool rfkill_readable(struct rfkill_data *data) +-{ +- bool r; +- +- mutex_lock(&data->mtx); +- r = !list_empty(&data->events); +- mutex_unlock(&data->mtx); +- +- return r; +-} +- + static ssize_t rfkill_fop_read(struct file *file, char __user *buf, + size_t count, loff_t *pos) + { +@@ -1105,8 +1094,11 @@ static ssize_t rfkill_fop_read(struct file *file, char __user *buf, + goto out; + } + mutex_unlock(&data->mtx); ++ /* since we re-check and it just compares pointers, ++ * using !list_empty() without locking isn't a problem ++ */ + ret = wait_event_interruptible(data->read_wait, +- rfkill_readable(data)); ++ !list_empty(&data->events)); + mutex_lock(&data->mtx); + + if (ret) +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 0adc66caae2f..07edbcd8697e 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1230,7 +1230,7 @@ int qword_get(char **bpp, char *dest, int bufsize) + if (bp[0] == '\\' && bp[1] == 'x') { + /* HEX STRING */ + bp += 2; +- while (len < bufsize) { ++ while (len < bufsize - 1) { + int h, l; + + h = hex_to_bin(bp[0]); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 0cd18c240250..ab2eeb1cb32c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1469,7 +1469,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) + UNIXCB(skb).fp = NULL; + + for (i = scm->fp->count-1; i >= 0; i--) +- unix_notinflight(scm->fp->fp[i]); ++ unix_notinflight(scm->fp->user, scm->fp->fp[i]); + } + + static void unix_destruct_scm(struct sk_buff *skb) +@@ -1534,7 +1534,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + return -ENOMEM; + + for (i = scm->fp->count - 1; i >= 0; i--) +- unix_inflight(scm->fp->fp[i]); ++ unix_inflight(scm->fp->user, scm->fp->fp[i]); + return max_level; + } + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 06730fe6ad9d..a72182d6750f 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -122,7 +122,7 @@ struct sock *unix_get_socket(struct file *filp) + * descriptor if it is for an AF_UNIX socket. + */ + +-void unix_inflight(struct file *fp) ++void unix_inflight(struct user_struct *user, struct file *fp) + { + struct sock *s = unix_get_socket(fp); + +@@ -139,11 +139,11 @@ void unix_inflight(struct file *fp) + } + unix_tot_inflight++; + } +- fp->f_cred->user->unix_inflight++; ++ user->unix_inflight++; + spin_unlock(&unix_gc_lock); + } + +-void unix_notinflight(struct file *fp) ++void unix_notinflight(struct user_struct *user, struct file *fp) + { + struct sock *s = unix_get_socket(fp); + +@@ -157,7 +157,7 @@ void unix_notinflight(struct file *fp) + list_del_init(&u->link); + unix_tot_inflight--; + } +- fp->f_cred->user->unix_inflight--; ++ user->unix_inflight--; + spin_unlock(&unix_gc_lock); + } + +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index 9c22317778eb..ee625e3a56ba 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname) + addr = umalloc(sb.st_size); + uread(fd_map, addr, sb.st_size); + } ++ if (sb.st_nlink != 1) { ++ /* file is hard-linked, break the hard link */ ++ close(fd_map); ++ if (unlink(fname) < 0) { ++ perror(fname); ++ fail_file(); ++ } ++ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); ++ if (fd_map < 0) { ++ perror(fname); ++ fail_file(); ++ } ++ uwrite(fd_map, addr, sb.st_size); ++ } + return addr; + } + +diff --git a/tools/Makefile b/tools/Makefile +index feec3ad5fd09..6e8ac8982149 100644 +--- a/tools/Makefile ++++ b/tools/Makefile +@@ -24,6 +24,10 @@ help: + @echo ' from the kernel command line to build and install one of' + @echo ' the tools above' + @echo '' ++ @echo ' $$ make tools/all' ++ @echo '' ++ @echo ' builds all tools.' ++ @echo '' + @echo ' $$ make tools/install' + @echo '' + @echo ' installs all tools.' +@@ -58,6 +62,11 @@ turbostat x86_energy_perf_policy: FORCE + tmon: FORCE + $(call descend,thermal/$@) + ++all: acpi cgroup cpupower firewire lguest \ ++ perf selftests turbostat usb \ ++ virtio vm net x86_energy_perf_policy \ ++ tmon ++ + acpi_install: + $(call descend,power/$(@:_install=),install) + +diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c +index f2c80d5451c3..919095029528 100644 +--- a/virt/kvm/async_pf.c ++++ b/virt/kvm/async_pf.c +@@ -152,7 +152,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn, + * do alloc nowait since if we are going to sleep anyway we + * may as well sleep faulting in page + */ +- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT); ++ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN); + if (!work) + return 0; + diff --git a/patch/kernel/cubox-dev/patch-3.14.63-64.patch b/patch/kernel/cubox-dev/patch-3.14.63-64.patch new file mode 100644 index 000000000..1e253d6ab --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.63-64.patch @@ -0,0 +1,2736 @@ +diff --git a/Makefile b/Makefile +index 0843ef4cc0a4..de41fa82652f 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 63 ++SUBLEVEL = 64 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 81e6ae0220bc..887535c4c93d 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -688,15 +688,15 @@ static int simulate_sync(struct pt_regs *regs, unsigned int opcode) + asmlinkage void do_ov(struct pt_regs *regs) + { + enum ctx_state prev_state; +- siginfo_t info; ++ siginfo_t info = { ++ .si_signo = SIGFPE, ++ .si_code = FPE_INTOVF, ++ .si_addr = (void __user *)regs->cp0_epc, ++ }; + + prev_state = exception_enter(); + die_if_kernel("Integer overflow", regs); + +- info.si_code = FPE_INTOVF; +- info.si_signo = SIGFPE; +- info.si_errno = 0; +- info.si_addr = (void __user *) regs->cp0_epc; + force_sig_info(SIGFPE, &info, current); + exception_exit(prev_state); + } +@@ -797,7 +797,7 @@ out: + static void do_trap_or_bp(struct pt_regs *regs, unsigned int code, + const char *str) + { +- siginfo_t info; ++ siginfo_t info = { 0 }; + char b[40]; + + #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP +@@ -825,7 +825,6 @@ static void do_trap_or_bp(struct pt_regs *regs, unsigned int code, + else + info.si_code = FPE_INTOVF; + info.si_signo = SIGFPE; +- info.si_errno = 0; + info.si_addr = (void __user *) regs->cp0_epc; + force_sig_info(SIGFPE, &info, current); + break; +diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S +index 92a2e9333620..b74ac9c5710b 100644 +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -422,6 +422,7 @@ ENTRY(ia32_syscall) + /*CFI_REL_OFFSET cs,CS-RIP*/ + CFI_REL_OFFSET rip,RIP-RIP + PARAVIRT_ADJUST_EXCEPTION_FRAME ++ ASM_CLAC /* Do this early to minimize exposure */ + SWAPGS + /* + * No need to follow this irqs on/off section: the syscall +diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c +index 3a2ae4c88948..398c7a908c17 100644 +--- a/arch/x86/kernel/acpi/sleep.c ++++ b/arch/x86/kernel/acpi/sleep.c +@@ -16,6 +16,7 @@ + #include + #include + ++#include + #include "../../realmode/rm/wakeup.h" + #include "sleep.h" + +@@ -107,7 +108,13 @@ int x86_acpi_suspend_lowlevel(void) + saved_magic = 0x123456789abcdef0L; + #endif /* CONFIG_64BIT */ + ++ /* ++ * Pause/unpause graph tracing around do_suspend_lowlevel as it has ++ * inconsistent call/return info after it jumps to the wakeup vector. ++ */ ++ pause_graph_tracing(); + do_suspend_lowlevel(); ++ unpause_graph_tracing(); + return 0; + } + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 6fecf0bde105..1e82d2a1e205 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -674,19 +674,18 @@ static int ata_ioc32(struct ata_port *ap) + int ata_sas_scsi_ioctl(struct ata_port *ap, struct scsi_device *scsidev, + int cmd, void __user *arg) + { +- int val = -EINVAL, rc = -EINVAL; ++ unsigned long val; ++ int rc = -EINVAL; + unsigned long flags; + + switch (cmd) { +- case ATA_IOC_GET_IO32: ++ case HDIO_GET_32BIT: + spin_lock_irqsave(ap->lock, flags); + val = ata_ioc32(ap); + spin_unlock_irqrestore(ap->lock, flags); +- if (copy_to_user(arg, &val, 1)) +- return -EFAULT; +- return 0; ++ return put_user(val, (unsigned long __user *)arg); + +- case ATA_IOC_SET_IO32: ++ case HDIO_SET_32BIT: + val = (unsigned long) arg; + rc = 0; + spin_lock_irqsave(ap->lock, flags); +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index b335c6ab5efe..b2dd473237e8 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -973,21 +973,26 @@ nomem: + */ + int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) + { ++ char *name; + int i, err; + + /* + * The memory controller needs its own bus, in order to avoid + * namespace conflicts at /sys/bus/edac. + */ +- mci->bus->name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); +- if (!mci->bus->name) ++ name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); ++ if (!name) + return -ENOMEM; + ++ mci->bus->name = name; ++ + edac_dbg(0, "creating bus %s\n", mci->bus->name); + + err = bus_register(mci->bus); +- if (err < 0) ++ if (err < 0) { ++ kfree(name); + return err; ++ } + + /* get the /sys/devices/system/edac subsys reference */ + mci->dev.type = &mci_attr_type; +@@ -1071,7 +1076,8 @@ fail: + fail2: + device_unregister(&mci->dev); + bus_unregister(mci->bus); +- kfree(mci->bus->name); ++ kfree(name); ++ + return err; + } + +@@ -1102,10 +1108,12 @@ void edac_remove_sysfs_mci_device(struct mem_ctl_info *mci) + + void edac_unregister_sysfs(struct mem_ctl_info *mci) + { ++ const char *name = mci->bus->name; ++ + edac_dbg(1, "Unregistering device %s\n", dev_name(&mci->dev)); + device_unregister(&mci->dev); + bus_unregister(mci->bus); +- kfree(mci->bus->name); ++ kfree(name); + } + + static void mc_attr_release(struct device *dev) +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index c0f284230a39..ed8d93cbd1ca 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -124,7 +124,7 @@ static int ast_get_dram_info(struct drm_device *dev) + } while (ast_read32(ast, 0x10000) != 0x01); + data = ast_read32(ast, 0x10004); + +- if (data & 0x400) ++ if (data & 0x40) + ast->dram_bus_width = 16; + else + ast->dram_bus_width = 32; +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index a49ce4a6e72f..1320a81df792 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2071,6 +2071,24 @@ isert_put_response(struct iscsi_conn *conn, struct iscsi_cmd *cmd) + return isert_post_response(isert_conn, isert_cmd); + } + ++static void ++isert_aborted_task(struct iscsi_conn *conn, struct iscsi_cmd *cmd) ++{ ++ struct isert_cmd *isert_cmd = iscsit_priv_cmd(cmd); ++ struct isert_conn *isert_conn = (struct isert_conn *)conn->context; ++ struct isert_device *device = isert_conn->conn_device; ++ ++ spin_lock_bh(&conn->cmd_lock); ++ if (!list_empty(&cmd->i_conn_node)) ++ list_del_init(&cmd->i_conn_node); ++ spin_unlock_bh(&conn->cmd_lock); ++ ++ if (cmd->data_direction == DMA_TO_DEVICE) ++ iscsit_stop_dataout_timer(cmd); ++ ++ device->unreg_rdma_mem(isert_cmd, isert_conn); ++} ++ + static int + isert_put_nopin(struct iscsi_cmd *cmd, struct iscsi_conn *conn, + bool nopout_response) +@@ -2999,6 +3017,7 @@ static struct iscsit_transport iser_target_transport = { + .iscsit_get_dataout = isert_get_dataout, + .iscsit_queue_data_in = isert_put_datain, + .iscsit_queue_status = isert_put_response, ++ .iscsit_aborted_task = isert_aborted_task, + }; + + static int __init isert_init(void) +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 0097b8dae5bc..727a88d9a708 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -3093,6 +3093,14 @@ static void srpt_queue_tm_rsp(struct se_cmd *cmd) + srpt_queue_response(cmd); + } + ++static void srpt_aborted_task(struct se_cmd *cmd) ++{ ++ struct srpt_send_ioctx *ioctx = container_of(cmd, ++ struct srpt_send_ioctx, cmd); ++ ++ srpt_unmap_sg_to_ib_sge(ioctx->ch, ioctx); ++} ++ + static int srpt_queue_status(struct se_cmd *cmd) + { + struct srpt_send_ioctx *ioctx; +@@ -3940,6 +3948,7 @@ static struct target_core_fabric_ops srpt_template = { + .queue_data_in = srpt_queue_data_in, + .queue_status = srpt_queue_status, + .queue_tm_rsp = srpt_queue_tm_rsp, ++ .aborted_task = srpt_aborted_task, + /* + * Setup function pointers for generic logic in + * target_core_fabric_configfs.c +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 28b4bea7c109..a8e52ef6e266 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -226,6 +226,10 @@ static enum iommu_init_state init_state = IOMMU_START_STATE; + static int amd_iommu_enable_interrupts(void); + static int __init iommu_go_to_state(enum iommu_init_state state); + ++static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu, ++ u8 bank, u8 cntr, u8 fxn, ++ u64 *value, bool is_write); ++ + static inline void update_last_devid(u16 devid) + { + if (devid > amd_iommu_last_bdf) +@@ -1182,8 +1186,8 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu) + amd_iommu_pc_present = true; + + /* Check if the performance counters can be written to */ +- if ((0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val, true)) || +- (0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val2, false)) || ++ if ((0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val, true)) || ++ (0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val2, false)) || + (val != val2)) { + pr_err("AMD-Vi: Unable to write to IOMMU perf counter.\n"); + amd_iommu_pc_present = false; +@@ -2314,22 +2318,15 @@ u8 amd_iommu_pc_get_max_counters(u16 devid) + } + EXPORT_SYMBOL(amd_iommu_pc_get_max_counters); + +-int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn, ++static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu, ++ u8 bank, u8 cntr, u8 fxn, + u64 *value, bool is_write) + { +- struct amd_iommu *iommu; + u32 offset; + u32 max_offset_lim; + +- /* Make sure the IOMMU PC resource is available */ +- if (!amd_iommu_pc_present) +- return -ENODEV; +- +- /* Locate the iommu associated with the device ID */ +- iommu = amd_iommu_rlookup_table[devid]; +- + /* Check for valid iommu and pc register indexing */ +- if (WARN_ON((iommu == NULL) || (fxn > 0x28) || (fxn & 7))) ++ if (WARN_ON((fxn > 0x28) || (fxn & 7))) + return -ENODEV; + + offset = (u32)(((0x40|bank) << 12) | (cntr << 8) | fxn); +@@ -2353,3 +2350,16 @@ int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn, + return 0; + } + EXPORT_SYMBOL(amd_iommu_pc_get_set_reg_val); ++ ++int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn, ++ u64 *value, bool is_write) ++{ ++ struct amd_iommu *iommu = amd_iommu_rlookup_table[devid]; ++ ++ /* Make sure the IOMMU PC resource is available */ ++ if (!amd_iommu_pc_present || iommu == NULL) ++ return -ENODEV; ++ ++ return iommu_pc_get_set_reg_val(iommu, bank, cntr, fxn, ++ value, is_write); ++} +diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c +index 2a1b6e037e1a..0134ba32a057 100644 +--- a/drivers/mtd/ubi/upd.c ++++ b/drivers/mtd/ubi/upd.c +@@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, + vol->changing_leb = 1; + vol->ch_lnum = req->lnum; + +- vol->upd_buf = vmalloc(req->bytes); ++ vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); + if (!vol->upd_buf) + return -ENOMEM; + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index 1817f3f2b02d..f46c0a6c5016 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -684,6 +684,20 @@ static void tcm_qla2xxx_queue_tm_rsp(struct se_cmd *se_cmd) + qlt_xmit_tm_rsp(mcmd); + } + ++static void tcm_qla2xxx_aborted_task(struct se_cmd *se_cmd) ++{ ++ struct qla_tgt_cmd *cmd = container_of(se_cmd, ++ struct qla_tgt_cmd, se_cmd); ++ struct scsi_qla_host *vha = cmd->vha; ++ struct qla_hw_data *ha = vha->hw; ++ ++ if (!cmd->sg_mapped) ++ return; ++ ++ pci_unmap_sg(ha->pdev, cmd->sg, cmd->sg_cnt, cmd->dma_data_direction); ++ cmd->sg_mapped = 0; ++} ++ + /* Local pointer to allocated TCM configfs fabric module */ + struct target_fabric_configfs *tcm_qla2xxx_fabric_configfs; + struct target_fabric_configfs *tcm_qla2xxx_npiv_fabric_configfs; +@@ -1886,6 +1900,7 @@ static struct target_core_fabric_ops tcm_qla2xxx_ops = { + .queue_data_in = tcm_qla2xxx_queue_data_in, + .queue_status = tcm_qla2xxx_queue_status, + .queue_tm_rsp = tcm_qla2xxx_queue_tm_rsp, ++ .aborted_task = tcm_qla2xxx_aborted_task, + /* + * Setup function pointers for generic logic in + * target_core_fabric_configfs.c +@@ -1935,6 +1950,7 @@ static struct target_core_fabric_ops tcm_qla2xxx_npiv_ops = { + .queue_data_in = tcm_qla2xxx_queue_data_in, + .queue_status = tcm_qla2xxx_queue_status, + .queue_tm_rsp = tcm_qla2xxx_queue_tm_rsp, ++ .aborted_task = tcm_qla2xxx_aborted_task, + /* + * Setup function pointers for generic logic in + * target_core_fabric_configfs.c +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index c066e6e298c3..5600eab07865 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -500,6 +500,18 @@ static int iscsit_queue_rsp(struct iscsi_conn *conn, struct iscsi_cmd *cmd) + return 0; + } + ++static void iscsit_aborted_task(struct iscsi_conn *conn, struct iscsi_cmd *cmd) ++{ ++ bool scsi_cmd = (cmd->iscsi_opcode == ISCSI_OP_SCSI_CMD); ++ ++ spin_lock_bh(&conn->cmd_lock); ++ if (!list_empty(&cmd->i_conn_node)) ++ list_del_init(&cmd->i_conn_node); ++ spin_unlock_bh(&conn->cmd_lock); ++ ++ __iscsit_free_cmd(cmd, scsi_cmd, true); ++} ++ + static struct iscsit_transport iscsi_target_transport = { + .name = "iSCSI/TCP", + .transport_type = ISCSI_TCP, +@@ -514,6 +526,7 @@ static struct iscsit_transport iscsi_target_transport = { + .iscsit_response_queue = iscsit_response_queue, + .iscsit_queue_data_in = iscsit_queue_rsp, + .iscsit_queue_status = iscsit_queue_rsp, ++ .iscsit_aborted_task = iscsit_aborted_task, + }; + + static int __init iscsi_target_init_module(void) +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 83465617ad6d..4a28c5f0dfd1 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1815,6 +1815,13 @@ static void lio_queue_tm_rsp(struct se_cmd *se_cmd) + iscsit_add_cmd_to_response_queue(cmd, cmd->conn, cmd->i_state); + } + ++static void lio_aborted_task(struct se_cmd *se_cmd) ++{ ++ struct iscsi_cmd *cmd = container_of(se_cmd, struct iscsi_cmd, se_cmd); ++ ++ cmd->conn->conn_transport->iscsit_aborted_task(cmd->conn, cmd); ++} ++ + static char *lio_tpg_get_endpoint_wwn(struct se_portal_group *se_tpg) + { + struct iscsi_portal_group *tpg = se_tpg->se_tpg_fabric_ptr; +@@ -2013,6 +2020,7 @@ int iscsi_target_register_configfs(void) + fabric->tf_ops.queue_data_in = &lio_queue_data_in; + fabric->tf_ops.queue_status = &lio_queue_status; + fabric->tf_ops.queue_tm_rsp = &lio_queue_tm_rsp; ++ fabric->tf_ops.aborted_task = &lio_aborted_task; + /* + * Setup function pointers for generic logic in target_core_fabric_configfs.c + */ +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 1e406af4ee47..2e96ae6cf3c1 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -705,8 +705,8 @@ void iscsit_release_cmd(struct iscsi_cmd *cmd) + } + EXPORT_SYMBOL(iscsit_release_cmd); + +-static void __iscsit_free_cmd(struct iscsi_cmd *cmd, bool scsi_cmd, +- bool check_queues) ++void __iscsit_free_cmd(struct iscsi_cmd *cmd, bool scsi_cmd, ++ bool check_queues) + { + struct iscsi_conn *conn = cmd->conn; + +diff --git a/drivers/target/iscsi/iscsi_target_util.h b/drivers/target/iscsi/iscsi_target_util.h +index 561a424d1980..a68508c4fec8 100644 +--- a/drivers/target/iscsi/iscsi_target_util.h ++++ b/drivers/target/iscsi/iscsi_target_util.h +@@ -30,6 +30,7 @@ extern void iscsit_remove_cmd_from_tx_queues(struct iscsi_cmd *, struct iscsi_co + extern bool iscsit_conn_all_queues_empty(struct iscsi_conn *); + extern void iscsit_free_queue_reqs_for_conn(struct iscsi_conn *); + extern void iscsit_release_cmd(struct iscsi_cmd *); ++extern void __iscsit_free_cmd(struct iscsi_cmd *, bool, bool); + extern void iscsit_free_cmd(struct iscsi_cmd *, bool); + extern int iscsit_check_session_usage_count(struct iscsi_session *); + extern void iscsit_dec_session_usage_count(struct iscsi_session *); +diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c +index 67c802c93ef3..fd974d69458b 100644 +--- a/drivers/target/loopback/tcm_loop.c ++++ b/drivers/target/loopback/tcm_loop.c +@@ -892,6 +892,11 @@ static void tcm_loop_queue_tm_rsp(struct se_cmd *se_cmd) + wake_up(&tl_tmr->tl_tmr_wait); + } + ++static void tcm_loop_aborted_task(struct se_cmd *se_cmd) ++{ ++ return; ++} ++ + static char *tcm_loop_dump_proto_id(struct tcm_loop_hba *tl_hba) + { + switch (tl_hba->tl_proto_id) { +@@ -1456,6 +1461,7 @@ static int tcm_loop_register_configfs(void) + fabric->tf_ops.queue_data_in = &tcm_loop_queue_data_in; + fabric->tf_ops.queue_status = &tcm_loop_queue_status; + fabric->tf_ops.queue_tm_rsp = &tcm_loop_queue_tm_rsp; ++ fabric->tf_ops.aborted_task = &tcm_loop_aborted_task; + + /* + * Setup function pointers for generic logic in target_core_fabric_configfs.c +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index 24884cac19ce..ad04ea928e4f 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1846,6 +1846,11 @@ static void sbp_queue_tm_rsp(struct se_cmd *se_cmd) + { + } + ++static void sbp_aborted_task(struct se_cmd *se_cmd) ++{ ++ return; ++} ++ + static int sbp_check_stop_free(struct se_cmd *se_cmd) + { + struct sbp_target_request *req = container_of(se_cmd, +@@ -2526,6 +2531,7 @@ static struct target_core_fabric_ops sbp_ops = { + .queue_data_in = sbp_queue_data_in, + .queue_status = sbp_queue_status, + .queue_tm_rsp = sbp_queue_tm_rsp, ++ .aborted_task = sbp_aborted_task, + .check_stop_free = sbp_check_stop_free, + + .fabric_make_wwn = sbp_make_tport, +diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c +index f30385385544..756def38c77a 100644 +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -457,6 +457,10 @@ static int target_fabric_tf_ops_check( + pr_err("Missing tfo->queue_tm_rsp()\n"); + return -EINVAL; + } ++ if (!tfo->aborted_task) { ++ pr_err("Missing tfo->aborted_task()\n"); ++ return -EINVAL; ++ } + /* + * We at least require tfo->fabric_make_wwn(), tfo->fabric_drop_wwn() + * tfo->fabric_make_tpg() and tfo->fabric_drop_tpg() in +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 093b8cb85de7..e366b812f0e1 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1577,6 +1577,49 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + return dev; + } + ++/* ++ * Check if the underlying struct block_device request_queue supports ++ * the QUEUE_FLAG_DISCARD bit for UNMAP/WRITE_SAME in SCSI + TRIM ++ * in ATA and we need to set TPE=1 ++ */ ++bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib, ++ struct request_queue *q, int block_size) ++{ ++ if (!blk_queue_discard(q)) ++ return false; ++ ++ attrib->max_unmap_lba_count = (q->limits.max_discard_sectors << 9) / ++ block_size; ++ /* ++ * Currently hardcoded to 1 in Linux/SCSI code.. ++ */ ++ attrib->max_unmap_block_desc_count = 1; ++ attrib->unmap_granularity = q->limits.discard_granularity / block_size; ++ attrib->unmap_granularity_alignment = q->limits.discard_alignment / ++ block_size; ++ return true; ++} ++EXPORT_SYMBOL(target_configure_unmap_from_queue); ++ ++/* ++ * Convert from blocksize advertised to the initiator to the 512 byte ++ * units unconditionally used by the Linux block layer. ++ */ ++sector_t target_to_linux_sector(struct se_device *dev, sector_t lb) ++{ ++ switch (dev->dev_attrib.block_size) { ++ case 4096: ++ return lb << 3; ++ case 2048: ++ return lb << 2; ++ case 1024: ++ return lb << 1; ++ default: ++ return lb; ++ } ++} ++EXPORT_SYMBOL(target_to_linux_sector); ++ + int target_configure_device(struct se_device *dev) + { + struct se_hba *hba = dev->se_hba; +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index b199f1e21d0e..6fe5b503f6e1 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -164,25 +164,11 @@ static int fd_configure_device(struct se_device *dev) + " block_device blocks: %llu logical_block_size: %d\n", + dev_size, div_u64(dev_size, fd_dev->fd_block_size), + fd_dev->fd_block_size); +- /* +- * Check if the underlying struct block_device request_queue supports +- * the QUEUE_FLAG_DISCARD bit for UNMAP/WRITE_SAME in SCSI + TRIM +- * in ATA and we need to set TPE=1 +- */ +- if (blk_queue_discard(q)) { +- dev->dev_attrib.max_unmap_lba_count = +- q->limits.max_discard_sectors; +- /* +- * Currently hardcoded to 1 in Linux/SCSI code.. +- */ +- dev->dev_attrib.max_unmap_block_desc_count = 1; +- dev->dev_attrib.unmap_granularity = +- q->limits.discard_granularity >> 9; +- dev->dev_attrib.unmap_granularity_alignment = +- q->limits.discard_alignment; ++ ++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q, ++ fd_dev->fd_block_size)) + pr_debug("IFILE: BLOCK Discard support available," +- " disabled by default\n"); +- } ++ " disabled by default\n"); + /* + * Enable write same emulation for IBLOCK and use 0xFFFF as + * the smaller WRITE_SAME(10) only has a two-byte block count. +@@ -545,9 +531,12 @@ fd_do_unmap(struct se_cmd *cmd, void *priv, sector_t lba, sector_t nolb) + if (S_ISBLK(inode->i_mode)) { + /* The backend is block device, use discard */ + struct block_device *bdev = inode->i_bdev; ++ struct se_device *dev = cmd->se_dev; + +- ret = blkdev_issue_discard(bdev, lba, +- nolb, GFP_KERNEL, 0); ++ ret = blkdev_issue_discard(bdev, ++ target_to_linux_sector(dev, lba), ++ target_to_linux_sector(dev, nolb), ++ GFP_KERNEL, 0); + if (ret < 0) { + pr_warn("FILEIO: blkdev_issue_discard() failed: %d\n", + ret); +diff --git a/drivers/target/target_core_iblock.c b/drivers/target/target_core_iblock.c +index feefe24a88f7..357b9fb61499 100644 +--- a/drivers/target/target_core_iblock.c ++++ b/drivers/target/target_core_iblock.c +@@ -126,27 +126,11 @@ static int iblock_configure_device(struct se_device *dev) + dev->dev_attrib.hw_max_sectors = queue_max_hw_sectors(q); + dev->dev_attrib.hw_queue_depth = q->nr_requests; + +- /* +- * Check if the underlying struct block_device request_queue supports +- * the QUEUE_FLAG_DISCARD bit for UNMAP/WRITE_SAME in SCSI + TRIM +- * in ATA and we need to set TPE=1 +- */ +- if (blk_queue_discard(q)) { +- dev->dev_attrib.max_unmap_lba_count = +- q->limits.max_discard_sectors; +- +- /* +- * Currently hardcoded to 1 in Linux/SCSI code.. +- */ +- dev->dev_attrib.max_unmap_block_desc_count = 1; +- dev->dev_attrib.unmap_granularity = +- q->limits.discard_granularity >> 9; +- dev->dev_attrib.unmap_granularity_alignment = +- q->limits.discard_alignment; +- ++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q, ++ dev->dev_attrib.hw_block_size)) + pr_debug("IBLOCK: BLOCK Discard support available," +- " disabled by default\n"); +- } ++ " disabled by default\n"); ++ + /* + * Enable write same emulation for IBLOCK and use 0xFFFF as + * the smaller WRITE_SAME(10) only has a two-byte block count. +@@ -418,9 +402,13 @@ iblock_do_unmap(struct se_cmd *cmd, void *priv, + sector_t lba, sector_t nolb) + { + struct block_device *bdev = priv; ++ struct se_device *dev = cmd->se_dev; + int ret; + +- ret = blkdev_issue_discard(bdev, lba, nolb, GFP_KERNEL, 0); ++ ret = blkdev_issue_discard(bdev, ++ target_to_linux_sector(dev, lba), ++ target_to_linux_sector(dev, nolb), ++ GFP_KERNEL, 0); + if (ret < 0) { + pr_err("blkdev_issue_discard() failed: %d\n", ret); + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; +@@ -460,8 +448,10 @@ iblock_execute_write_same(struct se_cmd *cmd) + struct scatterlist *sg; + struct bio *bio; + struct bio_list list; +- sector_t block_lba = cmd->t_task_lba; +- sector_t sectors = sbc_get_write_same_sectors(cmd); ++ struct se_device *dev = cmd->se_dev; ++ sector_t block_lba = target_to_linux_sector(dev, cmd->t_task_lba); ++ sector_t sectors = target_to_linux_sector(dev, ++ sbc_get_write_same_sectors(cmd)); + + sg = &cmd->t_data_sg[0]; + +@@ -670,12 +660,12 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + enum dma_data_direction data_direction) + { + struct se_device *dev = cmd->se_dev; ++ sector_t block_lba = target_to_linux_sector(dev, cmd->t_task_lba); + struct iblock_req *ibr; + struct bio *bio, *bio_start; + struct bio_list list; + struct scatterlist *sg; + u32 sg_num = sgl_nents; +- sector_t block_lba; + unsigned bio_cnt; + int rw = 0; + int i; +@@ -701,24 +691,6 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + rw = READ; + } + +- /* +- * Convert the blocksize advertised to the initiator to the 512 byte +- * units unconditionally used by the Linux block layer. +- */ +- if (dev->dev_attrib.block_size == 4096) +- block_lba = (cmd->t_task_lba << 3); +- else if (dev->dev_attrib.block_size == 2048) +- block_lba = (cmd->t_task_lba << 2); +- else if (dev->dev_attrib.block_size == 1024) +- block_lba = (cmd->t_task_lba << 1); +- else if (dev->dev_attrib.block_size == 512) +- block_lba = cmd->t_task_lba; +- else { +- pr_err("Unsupported SCSI -> BLOCK LBA conversion:" +- " %u\n", dev->dev_attrib.block_size); +- return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; +- } +- + ibr = kzalloc(sizeof(struct iblock_req), GFP_KERNEL); + if (!ibr) + goto fail; +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index 70c638f730af..47a90d631a90 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -76,25 +76,29 @@ void core_tmr_release_req( + } + + spin_lock_irqsave(&dev->se_tmr_lock, flags); +- list_del(&tmr->tmr_list); ++ list_del_init(&tmr->tmr_list); + spin_unlock_irqrestore(&dev->se_tmr_lock, flags); + + kfree(tmr); + } + +-static void core_tmr_handle_tas_abort( +- struct se_node_acl *tmr_nacl, +- struct se_cmd *cmd, +- int tas) ++static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas) + { ++ unsigned long flags; ++ bool remove = true, send_tas; + /* + * TASK ABORTED status (TAS) bit support +- */ +- if ((tmr_nacl && +- (tmr_nacl == cmd->se_sess->se_node_acl)) || tas) ++ */ ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ send_tas = (cmd->transport_state & CMD_T_TAS); ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ ++ if (send_tas) { ++ remove = false; + transport_send_task_abort(cmd); ++ } + +- transport_cmd_finish_abort(cmd, 0); ++ transport_cmd_finish_abort(cmd, remove); + } + + static int target_check_cdb_and_preempt(struct list_head *list, +@@ -112,6 +116,47 @@ static int target_check_cdb_and_preempt(struct list_head *list, + return 1; + } + ++static bool __target_check_io_state(struct se_cmd *se_cmd, ++ struct se_session *tmr_sess, int tas) ++{ ++ struct se_session *sess = se_cmd->se_sess; ++ ++ assert_spin_locked(&sess->sess_cmd_lock); ++ WARN_ON_ONCE(!irqs_disabled()); ++ /* ++ * If command already reached CMD_T_COMPLETE state within ++ * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown, ++ * this se_cmd has been passed to fabric driver and will ++ * not be aborted. ++ * ++ * Otherwise, obtain a local se_cmd->cmd_kref now for TMR ++ * ABORT_TASK + LUN_RESET for CMD_T_ABORTED processing as ++ * long as se_cmd->cmd_kref is still active unless zero. ++ */ ++ spin_lock(&se_cmd->t_state_lock); ++ if (se_cmd->transport_state & (CMD_T_COMPLETE | CMD_T_FABRIC_STOP)) { ++ pr_debug("Attempted to abort io tag: %u already complete or" ++ " fabric stop, skipping\n", ++ se_cmd->se_tfo->get_task_tag(se_cmd)); ++ spin_unlock(&se_cmd->t_state_lock); ++ return false; ++ } ++ if (sess->sess_tearing_down || se_cmd->cmd_wait_set) { ++ pr_debug("Attempted to abort io tag: %u already shutdown," ++ " skipping\n", se_cmd->se_tfo->get_task_tag(se_cmd)); ++ spin_unlock(&se_cmd->t_state_lock); ++ return false; ++ } ++ se_cmd->transport_state |= CMD_T_ABORTED; ++ ++ if ((tmr_sess != se_cmd->se_sess) && tas) ++ se_cmd->transport_state |= CMD_T_TAS; ++ ++ spin_unlock(&se_cmd->t_state_lock); ++ ++ return kref_get_unless_zero(&se_cmd->cmd_kref); ++} ++ + void core_tmr_abort_task( + struct se_device *dev, + struct se_tmr_req *tmr, +@@ -134,33 +179,19 @@ void core_tmr_abort_task( + printk("ABORT_TASK: Found referenced %s task_tag: %u\n", + se_cmd->se_tfo->get_fabric_name(), ref_tag); + +- spin_lock(&se_cmd->t_state_lock); +- if (se_cmd->transport_state & CMD_T_COMPLETE) { +- printk("ABORT_TASK: ref_tag: %u already complete, skipping\n", ref_tag); +- spin_unlock(&se_cmd->t_state_lock); ++ if (!__target_check_io_state(se_cmd, se_sess, 0)) { + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); ++ target_put_sess_cmd(se_sess, se_cmd); + goto out; + } +- se_cmd->transport_state |= CMD_T_ABORTED; +- spin_unlock(&se_cmd->t_state_lock); + + list_del_init(&se_cmd->se_cmd_list); +- kref_get(&se_cmd->cmd_kref); + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); + + cancel_work_sync(&se_cmd->work); + transport_wait_for_tasks(se_cmd); +- /* +- * Now send SAM_STAT_TASK_ABORTED status for the referenced +- * se_cmd descriptor.. +- */ +- transport_send_task_abort(se_cmd); +- /* +- * Also deal with possible extra acknowledge reference.. +- */ +- if (se_cmd->se_cmd_flags & SCF_ACK_KREF) +- target_put_sess_cmd(se_sess, se_cmd); + ++ transport_cmd_finish_abort(se_cmd, true); + target_put_sess_cmd(se_sess, se_cmd); + + printk("ABORT_TASK: Sending TMR_FUNCTION_COMPLETE for" +@@ -182,9 +213,11 @@ static void core_tmr_drain_tmr_list( + struct list_head *preempt_and_abort_list) + { + LIST_HEAD(drain_tmr_list); ++ struct se_session *sess; + struct se_tmr_req *tmr_p, *tmr_pp; + struct se_cmd *cmd; + unsigned long flags; ++ bool rc; + /* + * Release all pending and outgoing TMRs aside from the received + * LUN_RESET tmr.. +@@ -210,17 +243,39 @@ static void core_tmr_drain_tmr_list( + if (target_check_cdb_and_preempt(preempt_and_abort_list, cmd)) + continue; + ++ sess = cmd->se_sess; ++ if (WARN_ON_ONCE(!sess)) ++ continue; ++ ++ spin_lock(&sess->sess_cmd_lock); + spin_lock(&cmd->t_state_lock); +- if (!(cmd->transport_state & CMD_T_ACTIVE)) { ++ if (!(cmd->transport_state & CMD_T_ACTIVE) || ++ (cmd->transport_state & CMD_T_FABRIC_STOP)) { + spin_unlock(&cmd->t_state_lock); ++ spin_unlock(&sess->sess_cmd_lock); + continue; + } + if (cmd->t_state == TRANSPORT_ISTATE_PROCESSING) { + spin_unlock(&cmd->t_state_lock); ++ spin_unlock(&sess->sess_cmd_lock); + continue; + } ++ if (sess->sess_tearing_down || cmd->cmd_wait_set) { ++ spin_unlock(&cmd->t_state_lock); ++ spin_unlock(&sess->sess_cmd_lock); ++ continue; ++ } ++ cmd->transport_state |= CMD_T_ABORTED; + spin_unlock(&cmd->t_state_lock); + ++ rc = kref_get_unless_zero(&cmd->cmd_kref); ++ if (!rc) { ++ printk("LUN_RESET TMR: non-zero kref_get_unless_zero\n"); ++ spin_unlock(&sess->sess_cmd_lock); ++ continue; ++ } ++ spin_unlock(&sess->sess_cmd_lock); ++ + list_move_tail(&tmr_p->tmr_list, &drain_tmr_list); + } + spin_unlock_irqrestore(&dev->se_tmr_lock, flags); +@@ -234,20 +289,26 @@ static void core_tmr_drain_tmr_list( + (preempt_and_abort_list) ? "Preempt" : "", tmr_p, + tmr_p->function, tmr_p->response, cmd->t_state); + ++ cancel_work_sync(&cmd->work); ++ transport_wait_for_tasks(cmd); ++ + transport_cmd_finish_abort(cmd, 1); ++ target_put_sess_cmd(cmd->se_sess, cmd); + } + } + + static void core_tmr_drain_state_list( + struct se_device *dev, + struct se_cmd *prout_cmd, +- struct se_node_acl *tmr_nacl, ++ struct se_session *tmr_sess, + int tas, + struct list_head *preempt_and_abort_list) + { + LIST_HEAD(drain_task_list); ++ struct se_session *sess; + struct se_cmd *cmd, *next; + unsigned long flags; ++ int rc; + + /* + * Complete outstanding commands with TASK_ABORTED SAM status. +@@ -286,6 +347,16 @@ static void core_tmr_drain_state_list( + if (prout_cmd == cmd) + continue; + ++ sess = cmd->se_sess; ++ if (WARN_ON_ONCE(!sess)) ++ continue; ++ ++ spin_lock(&sess->sess_cmd_lock); ++ rc = __target_check_io_state(cmd, tmr_sess, tas); ++ spin_unlock(&sess->sess_cmd_lock); ++ if (!rc) ++ continue; ++ + list_move_tail(&cmd->state_list, &drain_task_list); + cmd->state_active = false; + } +@@ -293,7 +364,7 @@ static void core_tmr_drain_state_list( + + while (!list_empty(&drain_task_list)) { + cmd = list_entry(drain_task_list.next, struct se_cmd, state_list); +- list_del(&cmd->state_list); ++ list_del_init(&cmd->state_list); + + pr_debug("LUN_RESET: %s cmd: %p" + " ITT/CmdSN: 0x%08x/0x%08x, i_state: %d, t_state: %d" +@@ -317,16 +388,11 @@ static void core_tmr_drain_state_list( + * loop above, but we do it down here given that + * cancel_work_sync may block. + */ +- if (cmd->t_state == TRANSPORT_COMPLETE) +- cancel_work_sync(&cmd->work); +- +- spin_lock_irqsave(&cmd->t_state_lock, flags); +- target_stop_cmd(cmd, &flags); +- +- cmd->transport_state |= CMD_T_ABORTED; +- spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ cancel_work_sync(&cmd->work); ++ transport_wait_for_tasks(cmd); + +- core_tmr_handle_tas_abort(tmr_nacl, cmd, tas); ++ core_tmr_handle_tas_abort(cmd, tas); ++ target_put_sess_cmd(cmd->se_sess, cmd); + } + } + +@@ -338,6 +404,7 @@ int core_tmr_lun_reset( + { + struct se_node_acl *tmr_nacl = NULL; + struct se_portal_group *tmr_tpg = NULL; ++ struct se_session *tmr_sess = NULL; + int tas; + /* + * TASK_ABORTED status bit, this is configurable via ConfigFS +@@ -356,8 +423,9 @@ int core_tmr_lun_reset( + * or struct se_device passthrough.. + */ + if (tmr && tmr->task_cmd && tmr->task_cmd->se_sess) { +- tmr_nacl = tmr->task_cmd->se_sess->se_node_acl; +- tmr_tpg = tmr->task_cmd->se_sess->se_tpg; ++ tmr_sess = tmr->task_cmd->se_sess; ++ tmr_nacl = tmr_sess->se_node_acl; ++ tmr_tpg = tmr_sess->se_tpg; + if (tmr_nacl && tmr_tpg) { + pr_debug("LUN_RESET: TMR caller fabric: %s" + " initiator port %s\n", +@@ -370,7 +438,7 @@ int core_tmr_lun_reset( + dev->transport->name, tas); + + core_tmr_drain_tmr_list(dev, tmr, preempt_and_abort_list); +- core_tmr_drain_state_list(dev, prout_cmd, tmr_nacl, tas, ++ core_tmr_drain_state_list(dev, prout_cmd, tmr_sess, tas, + preempt_and_abort_list); + + /* +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 7afea9b59e2c..cbf927a67160 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -509,9 +509,6 @@ void transport_deregister_session(struct se_session *se_sess) + } + EXPORT_SYMBOL(transport_deregister_session); + +-/* +- * Called with cmd->t_state_lock held. +- */ + static void target_remove_from_state_list(struct se_cmd *cmd) + { + struct se_device *dev = cmd->se_dev; +@@ -536,10 +533,6 @@ static int transport_cmd_check_stop(struct se_cmd *cmd, bool remove_from_lists, + { + unsigned long flags; + +- spin_lock_irqsave(&cmd->t_state_lock, flags); +- if (write_pending) +- cmd->t_state = TRANSPORT_WRITE_PENDING; +- + if (remove_from_lists) { + target_remove_from_state_list(cmd); + +@@ -549,6 +542,10 @@ static int transport_cmd_check_stop(struct se_cmd *cmd, bool remove_from_lists, + cmd->se_lun = NULL; + } + ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ if (write_pending) ++ cmd->t_state = TRANSPORT_WRITE_PENDING; ++ + /* + * Determine if frontend context caller is requesting the stopping of + * this command for frontend exceptions. +@@ -603,9 +600,20 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd) + + void transport_cmd_finish_abort(struct se_cmd *cmd, int remove) + { ++ bool ack_kref = (cmd->se_cmd_flags & SCF_ACK_KREF); ++ ++ if (cmd->se_cmd_flags & SCF_SE_LUN_CMD) ++ transport_lun_remove_cmd(cmd); ++ /* ++ * Allow the fabric driver to unmap any resources before ++ * releasing the descriptor via TFO->release_cmd() ++ */ ++ if (remove) ++ cmd->se_tfo->aborted_task(cmd); ++ + if (transport_cmd_check_stop_to_fabric(cmd)) + return; +- if (remove) ++ if (remove && ack_kref) + transport_put_cmd(cmd); + } + +@@ -673,7 +681,7 @@ void target_complete_cmd(struct se_cmd *cmd, u8 scsi_status) + * Check for case where an explicit ABORT_TASK has been received + * and transport_wait_for_tasks() will be waiting for completion.. + */ +- if (cmd->transport_state & CMD_T_ABORTED && ++ if (cmd->transport_state & CMD_T_ABORTED || + cmd->transport_state & CMD_T_STOP) { + spin_unlock_irqrestore(&cmd->t_state_lock, flags); + complete_all(&cmd->t_transport_stop_comp); +@@ -1746,19 +1754,21 @@ static bool target_handle_task_attr(struct se_cmd *cmd) + return true; + } + ++static int __transport_check_aborted_status(struct se_cmd *, int); ++ + void target_execute_cmd(struct se_cmd *cmd) + { + /* +- * If the received CDB has aleady been aborted stop processing it here. +- */ +- if (transport_check_aborted_status(cmd, 1)) +- return; +- +- /* + * Determine if frontend context caller is requesting the stopping of + * this command for frontend exceptions. ++ * ++ * If the received CDB has aleady been aborted stop processing it here. + */ + spin_lock_irq(&cmd->t_state_lock); ++ if (__transport_check_aborted_status(cmd, 1)) { ++ spin_unlock_irq(&cmd->t_state_lock); ++ return; ++ } + if (cmd->transport_state & CMD_T_STOP) { + pr_debug("%s:%d CMD_T_STOP for ITT: 0x%08x\n", + __func__, __LINE__, +@@ -2076,20 +2086,14 @@ static inline void transport_free_pages(struct se_cmd *cmd) + } + + /** +- * transport_release_cmd - free a command +- * @cmd: command to free ++ * transport_put_cmd - release a reference to a command ++ * @cmd: command to release + * +- * This routine unconditionally frees a command, and reference counting +- * or list removal must be done in the caller. ++ * This routine releases our reference to the command and frees it if possible. + */ +-static int transport_release_cmd(struct se_cmd *cmd) ++static int transport_put_cmd(struct se_cmd *cmd) + { + BUG_ON(!cmd->se_tfo); +- +- if (cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) +- core_tmr_release_req(cmd->se_tmr_req); +- if (cmd->t_task_cdb != cmd->__t_task_cdb) +- kfree(cmd->t_task_cdb); + /* + * If this cmd has been setup with target_get_sess_cmd(), drop + * the kref and call ->release_cmd() in kref callback. +@@ -2097,18 +2101,6 @@ static int transport_release_cmd(struct se_cmd *cmd) + return target_put_sess_cmd(cmd->se_sess, cmd); + } + +-/** +- * transport_put_cmd - release a reference to a command +- * @cmd: command to release +- * +- * This routine releases our reference to the command and frees it if possible. +- */ +-static int transport_put_cmd(struct se_cmd *cmd) +-{ +- transport_free_pages(cmd); +- return transport_release_cmd(cmd); +-} +- + void *transport_kmap_data_sg(struct se_cmd *cmd) + { + struct scatterlist *sg = cmd->t_data_sg; +@@ -2296,34 +2288,59 @@ static void transport_write_pending_qf(struct se_cmd *cmd) + } + } + +-int transport_generic_free_cmd(struct se_cmd *cmd, int wait_for_tasks) ++static bool ++__transport_wait_for_tasks(struct se_cmd *, bool, bool *, bool *, ++ unsigned long *flags); ++ ++static void target_wait_free_cmd(struct se_cmd *cmd, bool *aborted, bool *tas) + { + unsigned long flags; ++ ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ __transport_wait_for_tasks(cmd, true, aborted, tas, &flags); ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++} ++ ++int transport_generic_free_cmd(struct se_cmd *cmd, int wait_for_tasks) ++{ + int ret = 0; ++ bool aborted = false, tas = false; + + if (!(cmd->se_cmd_flags & SCF_SE_LUN_CMD)) { + if (wait_for_tasks && (cmd->se_cmd_flags & SCF_SCSI_TMR_CDB)) +- transport_wait_for_tasks(cmd); ++ target_wait_free_cmd(cmd, &aborted, &tas); + +- ret = transport_release_cmd(cmd); ++ if (!aborted || tas) ++ ret = transport_put_cmd(cmd); + } else { + if (wait_for_tasks) +- transport_wait_for_tasks(cmd); ++ target_wait_free_cmd(cmd, &aborted, &tas); + /* + * Handle WRITE failure case where transport_generic_new_cmd() + * has already added se_cmd to state_list, but fabric has + * failed command before I/O submission. + */ +- if (cmd->state_active) { +- spin_lock_irqsave(&cmd->t_state_lock, flags); ++ if (cmd->state_active) + target_remove_from_state_list(cmd); +- spin_unlock_irqrestore(&cmd->t_state_lock, flags); +- } + + if (cmd->se_lun) + transport_lun_remove_cmd(cmd); + +- ret = transport_put_cmd(cmd); ++ if (!aborted || tas) ++ ret = transport_put_cmd(cmd); ++ } ++ /* ++ * If the task has been internally aborted due to TMR ABORT_TASK ++ * or LUN_RESET, target_core_tmr.c is responsible for performing ++ * the remaining calls to target_put_sess_cmd(), and not the ++ * callers of this function. ++ */ ++ if (aborted) { ++ pr_debug("Detected CMD_T_ABORTED for ITT: %u\n", ++ cmd->se_tfo->get_task_tag(cmd)); ++ wait_for_completion(&cmd->cmd_wait_comp); ++ cmd->se_tfo->release_cmd(cmd); ++ ret = 1; + } + return ret; + } +@@ -2366,24 +2383,44 @@ out: + } + EXPORT_SYMBOL(target_get_sess_cmd); + ++static void target_free_cmd_mem(struct se_cmd *cmd) ++{ ++ transport_free_pages(cmd); ++ ++ if (cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) ++ core_tmr_release_req(cmd->se_tmr_req); ++ if (cmd->t_task_cdb != cmd->__t_task_cdb) ++ kfree(cmd->t_task_cdb); ++} ++ + static void target_release_cmd_kref(struct kref *kref) + { + struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref); + struct se_session *se_sess = se_cmd->se_sess; ++ bool fabric_stop; + + if (list_empty(&se_cmd->se_cmd_list)) { + spin_unlock(&se_sess->sess_cmd_lock); ++ target_free_cmd_mem(se_cmd); + se_cmd->se_tfo->release_cmd(se_cmd); + return; + } +- if (se_sess->sess_tearing_down && se_cmd->cmd_wait_set) { ++ ++ spin_lock(&se_cmd->t_state_lock); ++ fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP); ++ spin_unlock(&se_cmd->t_state_lock); ++ ++ if (se_cmd->cmd_wait_set || fabric_stop) { ++ list_del_init(&se_cmd->se_cmd_list); + spin_unlock(&se_sess->sess_cmd_lock); ++ target_free_cmd_mem(se_cmd); + complete(&se_cmd->cmd_wait_comp); + return; + } +- list_del(&se_cmd->se_cmd_list); ++ list_del_init(&se_cmd->se_cmd_list); + spin_unlock(&se_sess->sess_cmd_lock); + ++ target_free_cmd_mem(se_cmd); + se_cmd->se_tfo->release_cmd(se_cmd); + } + +@@ -2394,6 +2431,7 @@ static void target_release_cmd_kref(struct kref *kref) + int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd) + { + if (!se_sess) { ++ target_free_cmd_mem(se_cmd); + se_cmd->se_tfo->release_cmd(se_cmd); + return 1; + } +@@ -2411,6 +2449,7 @@ void target_sess_cmd_list_set_waiting(struct se_session *se_sess) + { + struct se_cmd *se_cmd; + unsigned long flags; ++ int rc; + + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); + if (se_sess->sess_tearing_down) { +@@ -2420,8 +2459,15 @@ void target_sess_cmd_list_set_waiting(struct se_session *se_sess) + se_sess->sess_tearing_down = 1; + list_splice_init(&se_sess->sess_cmd_list, &se_sess->sess_wait_list); + +- list_for_each_entry(se_cmd, &se_sess->sess_wait_list, se_cmd_list) +- se_cmd->cmd_wait_set = 1; ++ list_for_each_entry(se_cmd, &se_sess->sess_wait_list, se_cmd_list) { ++ rc = kref_get_unless_zero(&se_cmd->cmd_kref); ++ if (rc) { ++ se_cmd->cmd_wait_set = 1; ++ spin_lock(&se_cmd->t_state_lock); ++ se_cmd->transport_state |= CMD_T_FABRIC_STOP; ++ spin_unlock(&se_cmd->t_state_lock); ++ } ++ } + + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); + } +@@ -2434,15 +2480,25 @@ void target_wait_for_sess_cmds(struct se_session *se_sess) + { + struct se_cmd *se_cmd, *tmp_cmd; + unsigned long flags; ++ bool tas; + + list_for_each_entry_safe(se_cmd, tmp_cmd, + &se_sess->sess_wait_list, se_cmd_list) { +- list_del(&se_cmd->se_cmd_list); ++ list_del_init(&se_cmd->se_cmd_list); + + pr_debug("Waiting for se_cmd: %p t_state: %d, fabric state:" + " %d\n", se_cmd, se_cmd->t_state, + se_cmd->se_tfo->get_cmd_state(se_cmd)); + ++ spin_lock_irqsave(&se_cmd->t_state_lock, flags); ++ tas = (se_cmd->transport_state & CMD_T_TAS); ++ spin_unlock_irqrestore(&se_cmd->t_state_lock, flags); ++ ++ if (!target_put_sess_cmd(se_sess, se_cmd)) { ++ if (tas) ++ target_put_sess_cmd(se_sess, se_cmd); ++ } ++ + wait_for_completion(&se_cmd->cmd_wait_comp); + pr_debug("After cmd_wait_comp: se_cmd: %p t_state: %d" + " fabric state: %d\n", se_cmd, se_cmd->t_state, +@@ -2485,34 +2541,38 @@ int transport_clear_lun_ref(struct se_lun *lun) + return 0; + } + +-/** +- * transport_wait_for_tasks - wait for completion to occur +- * @cmd: command to wait +- * +- * Called from frontend fabric context to wait for storage engine +- * to pause and/or release frontend generated struct se_cmd. +- */ +-bool transport_wait_for_tasks(struct se_cmd *cmd) ++static bool ++__transport_wait_for_tasks(struct se_cmd *cmd, bool fabric_stop, ++ bool *aborted, bool *tas, unsigned long *flags) ++ __releases(&cmd->t_state_lock) ++ __acquires(&cmd->t_state_lock) + { +- unsigned long flags; + +- spin_lock_irqsave(&cmd->t_state_lock, flags); ++ assert_spin_locked(&cmd->t_state_lock); ++ WARN_ON_ONCE(!irqs_disabled()); ++ ++ if (fabric_stop) ++ cmd->transport_state |= CMD_T_FABRIC_STOP; ++ ++ if (cmd->transport_state & CMD_T_ABORTED) ++ *aborted = true; ++ ++ if (cmd->transport_state & CMD_T_TAS) ++ *tas = true; ++ + if (!(cmd->se_cmd_flags & SCF_SE_LUN_CMD) && +- !(cmd->se_cmd_flags & SCF_SCSI_TMR_CDB)) { +- spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ !(cmd->se_cmd_flags & SCF_SCSI_TMR_CDB)) + return false; +- } + + if (!(cmd->se_cmd_flags & SCF_SUPPORTED_SAM_OPCODE) && +- !(cmd->se_cmd_flags & SCF_SCSI_TMR_CDB)) { +- spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ !(cmd->se_cmd_flags & SCF_SCSI_TMR_CDB)) + return false; +- } + +- if (!(cmd->transport_state & CMD_T_ACTIVE)) { +- spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ if (!(cmd->transport_state & CMD_T_ACTIVE)) ++ return false; ++ ++ if (fabric_stop && *aborted) + return false; +- } + + cmd->transport_state |= CMD_T_STOP; + +@@ -2521,20 +2581,37 @@ bool transport_wait_for_tasks(struct se_cmd *cmd) + cmd, cmd->se_tfo->get_task_tag(cmd), + cmd->se_tfo->get_cmd_state(cmd), cmd->t_state); + +- spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ spin_unlock_irqrestore(&cmd->t_state_lock, *flags); + + wait_for_completion(&cmd->t_transport_stop_comp); + +- spin_lock_irqsave(&cmd->t_state_lock, flags); ++ spin_lock_irqsave(&cmd->t_state_lock, *flags); + cmd->transport_state &= ~(CMD_T_ACTIVE | CMD_T_STOP); + + pr_debug("wait_for_tasks: Stopped wait_for_completion(" + "&cmd->t_transport_stop_comp) for ITT: 0x%08x\n", + cmd->se_tfo->get_task_tag(cmd)); + ++ return true; ++} ++ ++/** ++ * transport_wait_for_tasks - wait for completion to occur ++ * @cmd: command to wait ++ * ++ * Called from frontend fabric context to wait for storage engine ++ * to pause and/or release frontend generated struct se_cmd. ++ */ ++bool transport_wait_for_tasks(struct se_cmd *cmd) ++{ ++ unsigned long flags; ++ bool ret, aborted = false, tas = false; ++ ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ ret = __transport_wait_for_tasks(cmd, false, &aborted, &tas, &flags); + spin_unlock_irqrestore(&cmd->t_state_lock, flags); + +- return true; ++ return ret; + } + EXPORT_SYMBOL(transport_wait_for_tasks); + +@@ -2820,24 +2897,51 @@ after_reason: + } + EXPORT_SYMBOL(transport_send_check_condition_and_sense); + +-int transport_check_aborted_status(struct se_cmd *cmd, int send_status) ++static int __transport_check_aborted_status(struct se_cmd *cmd, int send_status) ++ __releases(&cmd->t_state_lock) ++ __acquires(&cmd->t_state_lock) + { ++ assert_spin_locked(&cmd->t_state_lock); ++ WARN_ON_ONCE(!irqs_disabled()); ++ + if (!(cmd->transport_state & CMD_T_ABORTED)) + return 0; + +- if (!send_status || (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS)) ++ /* ++ * If cmd has been aborted but either no status is to be sent or it has ++ * already been sent, just return ++ */ ++ if (!send_status || !(cmd->se_cmd_flags & SCF_SEND_DELAYED_TAS)) { ++ if (send_status) ++ cmd->se_cmd_flags |= SCF_SEND_DELAYED_TAS; + return 1; ++ } + +- pr_debug("Sending delayed SAM_STAT_TASK_ABORTED status for CDB: 0x%02x ITT: 0x%08x\n", +- cmd->t_task_cdb[0], cmd->se_tfo->get_task_tag(cmd)); ++ pr_debug("Sending delayed SAM_STAT_TASK_ABORTED status for CDB:" ++ " 0x%02x ITT: 0x%08x\n", cmd->t_task_cdb[0], ++ cmd->se_tfo->get_task_tag(cmd)); + +- cmd->se_cmd_flags |= SCF_SENT_DELAYED_TAS; ++ cmd->se_cmd_flags &= ~SCF_SEND_DELAYED_TAS; + cmd->scsi_status = SAM_STAT_TASK_ABORTED; + trace_target_cmd_complete(cmd); ++ ++ spin_unlock_irq(&cmd->t_state_lock); + cmd->se_tfo->queue_status(cmd); ++ spin_lock_irq(&cmd->t_state_lock); + + return 1; + } ++ ++int transport_check_aborted_status(struct se_cmd *cmd, int send_status) ++{ ++ int ret; ++ ++ spin_lock_irq(&cmd->t_state_lock); ++ ret = __transport_check_aborted_status(cmd, send_status); ++ spin_unlock_irq(&cmd->t_state_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL(transport_check_aborted_status); + + void transport_send_task_abort(struct se_cmd *cmd) +@@ -2845,7 +2949,7 @@ void transport_send_task_abort(struct se_cmd *cmd) + unsigned long flags; + + spin_lock_irqsave(&cmd->t_state_lock, flags); +- if (cmd->se_cmd_flags & (SCF_SENT_CHECK_CONDITION | SCF_SENT_DELAYED_TAS)) { ++ if (cmd->se_cmd_flags & (SCF_SENT_CHECK_CONDITION)) { + spin_unlock_irqrestore(&cmd->t_state_lock, flags); + return; + } +@@ -2859,11 +2963,17 @@ void transport_send_task_abort(struct se_cmd *cmd) + */ + if (cmd->data_direction == DMA_TO_DEVICE) { + if (cmd->se_tfo->write_pending_status(cmd) != 0) { +- cmd->transport_state |= CMD_T_ABORTED; +- smp_mb__after_atomic_inc(); ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ if (cmd->se_cmd_flags & SCF_SEND_DELAYED_TAS) { ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ goto send_abort; ++ } ++ cmd->se_cmd_flags |= SCF_SEND_DELAYED_TAS; ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); + return; + } + } ++send_abort: + cmd->scsi_status = SAM_STAT_TASK_ABORTED; + + transport_lun_remove_cmd(cmd); +@@ -2881,8 +2991,17 @@ static void target_tmr_work(struct work_struct *work) + struct se_cmd *cmd = container_of(work, struct se_cmd, work); + struct se_device *dev = cmd->se_dev; + struct se_tmr_req *tmr = cmd->se_tmr_req; ++ unsigned long flags; + int ret; + ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ if (cmd->transport_state & CMD_T_ABORTED) { ++ tmr->response = TMR_FUNCTION_REJECTED; ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ goto check_stop; ++ } ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ + switch (tmr->function) { + case TMR_ABORT_TASK: + core_tmr_abort_task(dev, tmr, cmd->se_sess); +@@ -2910,9 +3029,17 @@ static void target_tmr_work(struct work_struct *work) + break; + } + ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ if (cmd->transport_state & CMD_T_ABORTED) { ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ goto check_stop; ++ } + cmd->t_state = TRANSPORT_ISTATE_PROCESSING; ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ + cmd->se_tfo->queue_tm_rsp(cmd); + ++check_stop: + transport_cmd_check_stop_to_fabric(cmd); + } + +diff --git a/drivers/target/tcm_fc/tcm_fc.h b/drivers/target/tcm_fc/tcm_fc.h +index 752863acecb8..4f4b97161228 100644 +--- a/drivers/target/tcm_fc/tcm_fc.h ++++ b/drivers/target/tcm_fc/tcm_fc.h +@@ -163,6 +163,7 @@ int ft_write_pending_status(struct se_cmd *); + u32 ft_get_task_tag(struct se_cmd *); + int ft_get_cmd_state(struct se_cmd *); + void ft_queue_tm_resp(struct se_cmd *); ++void ft_aborted_task(struct se_cmd *); + + /* + * other internal functions. +diff --git a/drivers/target/tcm_fc/tfc_cmd.c b/drivers/target/tcm_fc/tfc_cmd.c +index d22cdc77e9d4..f5fd515b2bee 100644 +--- a/drivers/target/tcm_fc/tfc_cmd.c ++++ b/drivers/target/tcm_fc/tfc_cmd.c +@@ -426,6 +426,11 @@ void ft_queue_tm_resp(struct se_cmd *se_cmd) + ft_send_resp_code(cmd, code); + } + ++void ft_aborted_task(struct se_cmd *se_cmd) ++{ ++ return; ++} ++ + static void ft_send_work(struct work_struct *work); + + /* +diff --git a/drivers/target/tcm_fc/tfc_conf.c b/drivers/target/tcm_fc/tfc_conf.c +index e879da81ad93..b8b5a719a784 100644 +--- a/drivers/target/tcm_fc/tfc_conf.c ++++ b/drivers/target/tcm_fc/tfc_conf.c +@@ -536,6 +536,7 @@ static struct target_core_fabric_ops ft_fabric_ops = { + .queue_data_in = ft_queue_data_in, + .queue_status = ft_queue_status, + .queue_tm_rsp = ft_queue_tm_resp, ++ .aborted_task = ft_aborted_task, + /* + * Setup function pointers for generic logic in + * target_core_fabric_configfs.c +diff --git a/drivers/usb/gadget/tcm_usb_gadget.c b/drivers/usb/gadget/tcm_usb_gadget.c +index 460c266b8e24..cdec2492ff40 100644 +--- a/drivers/usb/gadget/tcm_usb_gadget.c ++++ b/drivers/usb/gadget/tcm_usb_gadget.c +@@ -1471,6 +1471,11 @@ static void usbg_queue_tm_rsp(struct se_cmd *se_cmd) + { + } + ++static void usbg_aborted_task(struct se_cmd *se_cmd) ++{ ++ return; ++} ++ + static const char *usbg_check_wwn(const char *name) + { + const char *n; +@@ -1897,6 +1902,7 @@ static struct target_core_fabric_ops usbg_ops = { + .queue_data_in = usbg_send_read_response, + .queue_status = usbg_send_status_response, + .queue_tm_rsp = usbg_queue_tm_rsp, ++ .aborted_task = usbg_aborted_task, + .check_stop_free = usbg_check_stop_free, + + .fabric_make_wwn = usbg_make_tport, +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 21bf168981f9..922723edd6b0 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -164,6 +164,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ ++ { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ + { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 9bab34cf01d4..24366a2afea6 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -271,6 +271,7 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_UE910_V2 0x1012 + #define TELIT_PRODUCT_LE922_USBCFG0 0x1042 + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 ++#define TELIT_PRODUCT_LE922_USBCFG5 0x1045 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + +@@ -1140,6 +1141,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */ ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), +@@ -1191,6 +1194,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 6aeea1936aea..8f48f2bf34d4 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -539,6 +539,11 @@ static void tcm_vhost_queue_tm_rsp(struct se_cmd *se_cmd) + return; + } + ++static void tcm_vhost_aborted_task(struct se_cmd *se_cmd) ++{ ++ return; ++} ++ + static void tcm_vhost_free_evt(struct vhost_scsi *vs, struct tcm_vhost_evt *evt) + { + vs->vs_events_nr--; +@@ -2173,6 +2178,7 @@ static struct target_core_fabric_ops tcm_vhost_ops = { + .queue_data_in = tcm_vhost_queue_data_in, + .queue_status = tcm_vhost_queue_status, + .queue_tm_rsp = tcm_vhost_queue_tm_rsp, ++ .aborted_task = tcm_vhost_aborted_task, + /* + * Setup callers for generic logic in target_core_fabric_configfs.c + */ +diff --git a/fs/bio.c b/fs/bio.c +index b2b1451912b5..6d8cf434bf94 100644 +--- a/fs/bio.c ++++ b/fs/bio.c +@@ -1096,9 +1096,12 @@ int bio_uncopy_user(struct bio *bio) + ret = __bio_copy_iov(bio, bmd->sgvecs, bmd->nr_sgvecs, + bio_data_dir(bio) == READ, + 0, bmd->is_our_pages); +- else if (bmd->is_our_pages) +- bio_for_each_segment_all(bvec, bio, i) +- __free_page(bvec->bv_page); ++ else { ++ ret = -EINTR; ++ if (bmd->is_our_pages) ++ bio_for_each_segment_all(bvec, bio, i) ++ __free_page(bvec->bv_page); ++ } + } + kfree(bmd); + bio_put(bio); +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index f3264bd7a83d..3f709ab0223b 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -1399,11 +1399,10 @@ openRetry: + * current bigbuf. + */ + static int +-cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) ++discard_remaining_data(struct TCP_Server_Info *server) + { + unsigned int rfclen = get_rfc1002_length(server->smallbuf); + int remaining = rfclen + 4 - server->total_read; +- struct cifs_readdata *rdata = mid->callback_data; + + while (remaining > 0) { + int length; +@@ -1417,10 +1416,20 @@ cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) + remaining -= length; + } + +- dequeue_mid(mid, rdata->result); + return 0; + } + ++static int ++cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) ++{ ++ int length; ++ struct cifs_readdata *rdata = mid->callback_data; ++ ++ length = discard_remaining_data(server); ++ dequeue_mid(mid, rdata->result); ++ return length; ++} ++ + int + cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) + { +@@ -1449,6 +1458,12 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) + return length; + server->total_read += length; + ++ if (server->ops->is_status_pending && ++ server->ops->is_status_pending(buf, server, 0)) { ++ discard_remaining_data(server); ++ return -1; ++ } ++ + /* Was the SMB read successful? */ + rdata->result = server->ops->map_error(buf, false); + if (rdata->result != 0) { +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 348792911e1f..ae375dff03da 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1004,21 +1004,25 @@ parse_lease_state(struct TCP_Server_Info *server, struct smb2_create_rsp *rsp, + { + char *data_offset; + struct create_context *cc; +- unsigned int next = 0; ++ unsigned int next; ++ unsigned int remaining; + char *name; + + data_offset = (char *)rsp + 4 + le32_to_cpu(rsp->CreateContextsOffset); ++ remaining = le32_to_cpu(rsp->CreateContextsLength); + cc = (struct create_context *)data_offset; +- do { +- cc = (struct create_context *)((char *)cc + next); ++ while (remaining >= sizeof(struct create_context)) { + name = le16_to_cpu(cc->NameOffset) + (char *)cc; +- if (le16_to_cpu(cc->NameLength) != 4 || +- strncmp(name, "RqLs", 4)) { +- next = le32_to_cpu(cc->Next); +- continue; +- } +- return server->ops->parse_lease_buf(cc, epoch); +- } while (next != 0); ++ if (le16_to_cpu(cc->NameLength) == 4 && ++ strncmp(name, "RqLs", 4) == 0) ++ return server->ops->parse_lease_buf(cc, epoch); ++ ++ next = le32_to_cpu(cc->Next); ++ if (!next) ++ break; ++ remaining -= next; ++ cc = (struct create_context *)((char *)cc + next); ++ } + + return 0; + } +diff --git a/fs/jffs2/README.Locking b/fs/jffs2/README.Locking +index 3ea36554107f..8918ac905a3b 100644 +--- a/fs/jffs2/README.Locking ++++ b/fs/jffs2/README.Locking +@@ -2,10 +2,6 @@ + JFFS2 LOCKING DOCUMENTATION + --------------------------- + +-At least theoretically, JFFS2 does not require the Big Kernel Lock +-(BKL), which was always helpfully obtained for it by Linux 2.4 VFS +-code. It has its own locking, as described below. +- + This document attempts to describe the existing locking rules for + JFFS2. It is not expected to remain perfectly up to date, but ought to + be fairly close. +@@ -69,6 +65,7 @@ Ordering constraints: + any f->sem held. + 2. Never attempt to lock two file mutexes in one thread. + No ordering rules have been made for doing so. ++ 3. Never lock a page cache page with f->sem held. + + + erase_completion_lock spinlock +diff --git a/fs/jffs2/build.c b/fs/jffs2/build.c +index a3750f902adc..c1f04947d7dc 100644 +--- a/fs/jffs2/build.c ++++ b/fs/jffs2/build.c +@@ -49,7 +49,8 @@ next_inode(int *i, struct jffs2_inode_cache *ic, struct jffs2_sb_info *c) + + + static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, +- struct jffs2_inode_cache *ic) ++ struct jffs2_inode_cache *ic, ++ int *dir_hardlinks) + { + struct jffs2_full_dirent *fd; + +@@ -68,19 +69,21 @@ static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, + dbg_fsbuild("child \"%s\" (ino #%u) of dir ino #%u doesn't exist!\n", + fd->name, fd->ino, ic->ino); + jffs2_mark_node_obsolete(c, fd->raw); ++ /* Clear the ic/raw union so it doesn't cause problems later. */ ++ fd->ic = NULL; + continue; + } + ++ /* From this point, fd->raw is no longer used so we can set fd->ic */ ++ fd->ic = child_ic; ++ child_ic->pino_nlink++; ++ /* If we appear (at this stage) to have hard-linked directories, ++ * set a flag to trigger a scan later */ + if (fd->type == DT_DIR) { +- if (child_ic->pino_nlink) { +- JFFS2_ERROR("child dir \"%s\" (ino #%u) of dir ino #%u appears to be a hard link\n", +- fd->name, fd->ino, ic->ino); +- /* TODO: What do we do about it? */ +- } else { +- child_ic->pino_nlink = ic->ino; +- } +- } else +- child_ic->pino_nlink++; ++ child_ic->flags |= INO_FLAGS_IS_DIR; ++ if (child_ic->pino_nlink > 1) ++ *dir_hardlinks = 1; ++ } + + dbg_fsbuild("increased nlink for child \"%s\" (ino #%u)\n", fd->name, fd->ino); + /* Can't free scan_dents so far. We might need them in pass 2 */ +@@ -94,8 +97,7 @@ static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, + */ + static int jffs2_build_filesystem(struct jffs2_sb_info *c) + { +- int ret; +- int i; ++ int ret, i, dir_hardlinks = 0; + struct jffs2_inode_cache *ic; + struct jffs2_full_dirent *fd; + struct jffs2_full_dirent *dead_fds = NULL; +@@ -119,7 +121,7 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) + /* Now scan the directory tree, increasing nlink according to every dirent found. */ + for_each_inode(i, c, ic) { + if (ic->scan_dents) { +- jffs2_build_inode_pass1(c, ic); ++ jffs2_build_inode_pass1(c, ic, &dir_hardlinks); + cond_resched(); + } + } +@@ -155,6 +157,20 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) + } + + dbg_fsbuild("pass 2a complete\n"); ++ ++ if (dir_hardlinks) { ++ /* If we detected directory hardlinks earlier, *hopefully* ++ * they are gone now because some of the links were from ++ * dead directories which still had some old dirents lying ++ * around and not yet garbage-collected, but which have ++ * been discarded above. So clear the pino_nlink field ++ * in each directory, so that the final scan below can ++ * print appropriate warnings. */ ++ for_each_inode(i, c, ic) { ++ if (ic->flags & INO_FLAGS_IS_DIR) ++ ic->pino_nlink = 0; ++ } ++ } + dbg_fsbuild("freeing temporary data structures\n"); + + /* Finally, we can scan again and free the dirent structs */ +@@ -162,6 +178,33 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) + while(ic->scan_dents) { + fd = ic->scan_dents; + ic->scan_dents = fd->next; ++ /* We do use the pino_nlink field to count nlink of ++ * directories during fs build, so set it to the ++ * parent ino# now. Now that there's hopefully only ++ * one. */ ++ if (fd->type == DT_DIR) { ++ if (!fd->ic) { ++ /* We'll have complained about it and marked the coresponding ++ raw node obsolete already. Just skip it. */ ++ continue; ++ } ++ ++ /* We *have* to have set this in jffs2_build_inode_pass1() */ ++ BUG_ON(!(fd->ic->flags & INO_FLAGS_IS_DIR)); ++ ++ /* We clear ic->pino_nlink ∀ directories' ic *only* if dir_hardlinks ++ * is set. Otherwise, we know this should never trigger anyway, so ++ * we don't do the check. And ic->pino_nlink still contains the nlink ++ * value (which is 1). */ ++ if (dir_hardlinks && fd->ic->pino_nlink) { ++ JFFS2_ERROR("child dir \"%s\" (ino #%u) of dir ino #%u is also hard linked from dir ino #%u\n", ++ fd->name, fd->ino, ic->ino, fd->ic->pino_nlink); ++ /* Should we unlink it from its previous parent? */ ++ } ++ ++ /* For directories, ic->pino_nlink holds that parent inode # */ ++ fd->ic->pino_nlink = ic->ino; ++ } + jffs2_free_full_dirent(fd); + } + ic->scan_dents = NULL; +@@ -240,11 +283,7 @@ static void jffs2_build_remove_unlinked_inode(struct jffs2_sb_info *c, + + /* Reduce nlink of the child. If it's now zero, stick it on the + dead_fds list to be cleaned up later. Else just free the fd */ +- +- if (fd->type == DT_DIR) +- child_ic->pino_nlink = 0; +- else +- child_ic->pino_nlink--; ++ child_ic->pino_nlink--; + + if (!child_ic->pino_nlink) { + dbg_fsbuild("inode #%u (\"%s\") now has no links; adding to dead_fds list.\n", +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c +index 256cd19a3b78..d2570ae2e998 100644 +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -139,39 +139,33 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + struct page *pg; + struct inode *inode = mapping->host; + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); +- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); +- struct jffs2_raw_inode ri; +- uint32_t alloc_len = 0; + pgoff_t index = pos >> PAGE_CACHE_SHIFT; + uint32_t pageofs = index << PAGE_CACHE_SHIFT; + int ret = 0; + +- jffs2_dbg(1, "%s()\n", __func__); +- +- if (pageofs > inode->i_size) { +- ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, +- ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); +- if (ret) +- return ret; +- } +- +- mutex_lock(&f->sem); + pg = grab_cache_page_write_begin(mapping, index, flags); +- if (!pg) { +- if (alloc_len) +- jffs2_complete_reservation(c); +- mutex_unlock(&f->sem); ++ if (!pg) + return -ENOMEM; +- } + *pagep = pg; + +- if (alloc_len) { ++ jffs2_dbg(1, "%s()\n", __func__); ++ ++ if (pageofs > inode->i_size) { + /* Make new hole frag from old EOF to new page */ ++ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); ++ struct jffs2_raw_inode ri; + struct jffs2_full_dnode *fn; ++ uint32_t alloc_len; + + jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", + (unsigned int)inode->i_size, pageofs); + ++ ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, ++ ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); ++ if (ret) ++ goto out_page; ++ ++ mutex_lock(&f->sem); + memset(&ri, 0, sizeof(ri)); + + ri.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK); +@@ -198,6 +192,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + if (IS_ERR(fn)) { + ret = PTR_ERR(fn); + jffs2_complete_reservation(c); ++ mutex_unlock(&f->sem); + goto out_page; + } + ret = jffs2_add_full_dnode_to_inode(c, f, fn); +@@ -212,10 +207,12 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + jffs2_mark_node_obsolete(c, fn->raw); + jffs2_free_full_dnode(fn); + jffs2_complete_reservation(c); ++ mutex_unlock(&f->sem); + goto out_page; + } + jffs2_complete_reservation(c); + inode->i_size = pageofs; ++ mutex_unlock(&f->sem); + } + + /* +@@ -224,18 +221,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + * case of a short-copy. + */ + if (!PageUptodate(pg)) { ++ mutex_lock(&f->sem); + ret = jffs2_do_readpage_nolock(inode, pg); ++ mutex_unlock(&f->sem); + if (ret) + goto out_page; + } +- mutex_unlock(&f->sem); + jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags); + return ret; + + out_page: + unlock_page(pg); + page_cache_release(pg); +- mutex_unlock(&f->sem); + return ret; + } + +diff --git a/fs/jffs2/gc.c b/fs/jffs2/gc.c +index 5a2dec2b064c..95d5880a63ee 100644 +--- a/fs/jffs2/gc.c ++++ b/fs/jffs2/gc.c +@@ -1296,14 +1296,17 @@ static int jffs2_garbage_collect_dnode(struct jffs2_sb_info *c, struct jffs2_era + BUG_ON(start > orig_start); + } + +- /* First, use readpage() to read the appropriate page into the page cache */ +- /* Q: What happens if we actually try to GC the _same_ page for which commit_write() +- * triggered garbage collection in the first place? +- * A: I _think_ it's OK. read_cache_page shouldn't deadlock, we'll write out the +- * page OK. We'll actually write it out again in commit_write, which is a little +- * suboptimal, but at least we're correct. +- */ ++ /* The rules state that we must obtain the page lock *before* f->sem, so ++ * drop f->sem temporarily. Since we also hold c->alloc_sem, nothing's ++ * actually going to *change* so we're safe; we only allow reading. ++ * ++ * It is important to note that jffs2_write_begin() will ensure that its ++ * page is marked Uptodate before allocating space. That means that if we ++ * end up here trying to GC the *same* page that jffs2_write_begin() is ++ * trying to write out, read_cache_page() will not deadlock. */ ++ mutex_unlock(&f->sem); + pg_ptr = jffs2_gc_fetch_page(c, f, start, &pg); ++ mutex_lock(&f->sem); + + if (IS_ERR(pg_ptr)) { + pr_warn("read_cache_page() returned error: %ld\n", +diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h +index fa35ff79ab35..0637271f3770 100644 +--- a/fs/jffs2/nodelist.h ++++ b/fs/jffs2/nodelist.h +@@ -194,6 +194,7 @@ struct jffs2_inode_cache { + #define INO_STATE_CLEARING 6 /* In clear_inode() */ + + #define INO_FLAGS_XATTR_CHECKED 0x01 /* has no duplicate xattr_ref */ ++#define INO_FLAGS_IS_DIR 0x02 /* is a directory */ + + #define RAWNODE_CLASS_INODE_CACHE 0 + #define RAWNODE_CLASS_XATTR_DATUM 1 +@@ -249,7 +250,10 @@ struct jffs2_readinode_info + + struct jffs2_full_dirent + { +- struct jffs2_raw_node_ref *raw; ++ union { ++ struct jffs2_raw_node_ref *raw; ++ struct jffs2_inode_cache *ic; /* Just during part of build */ ++ }; + struct jffs2_full_dirent *next; + uint32_t version; + uint32_t ino; /* == zero for unlink */ +diff --git a/fs/locks.c b/fs/locks.c +index 2c61c4e9368c..f3197830f07e 100644 +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2007,7 +2007,6 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, + goto out; + } + +-again: + error = flock_to_posix_lock(filp, file_lock, &flock); + if (error) + goto out; +@@ -2038,19 +2037,22 @@ again: + * Attempt to detect a close/fcntl race and recover by + * releasing the lock that was just acquired. + */ +- /* +- * we need that spin_lock here - it prevents reordering between +- * update of inode->i_flock and check for it done in close(). +- * rcu_read_lock() wouldn't do. +- */ +- spin_lock(¤t->files->file_lock); +- f = fcheck(fd); +- spin_unlock(¤t->files->file_lock); +- if (!error && f != filp && flock.l_type != F_UNLCK) { +- flock.l_type = F_UNLCK; +- goto again; ++ if (!error && file_lock->fl_type != F_UNLCK) { ++ /* ++ * We need that spin_lock here - it prevents reordering between ++ * update of inode->i_flock and check for it done in ++ * close(). rcu_read_lock() wouldn't do. ++ */ ++ spin_lock(¤t->files->file_lock); ++ f = fcheck(fd); ++ spin_unlock(¤t->files->file_lock); ++ if (f != filp) { ++ file_lock->fl_type = F_UNLCK; ++ error = do_lock_file_wait(filp, cmd, file_lock); ++ WARN_ON_ONCE(error); ++ error = -EBADF; ++ } + } +- + out: + locks_free_lock(file_lock); + return error; +@@ -2125,7 +2127,6 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, + goto out; + } + +-again: + error = flock64_to_posix_lock(filp, file_lock, &flock); + if (error) + goto out; +@@ -2156,14 +2157,22 @@ again: + * Attempt to detect a close/fcntl race and recover by + * releasing the lock that was just acquired. + */ +- spin_lock(¤t->files->file_lock); +- f = fcheck(fd); +- spin_unlock(¤t->files->file_lock); +- if (!error && f != filp && flock.l_type != F_UNLCK) { +- flock.l_type = F_UNLCK; +- goto again; ++ if (!error && file_lock->fl_type != F_UNLCK) { ++ /* ++ * We need that spin_lock here - it prevents reordering between ++ * update of inode->i_flock and check for it done in ++ * close(). rcu_read_lock() wouldn't do. ++ */ ++ spin_lock(¤t->files->file_lock); ++ f = fcheck(fd); ++ spin_unlock(¤t->files->file_lock); ++ if (f != filp) { ++ file_lock->fl_type = F_UNLCK; ++ error = do_lock_file_wait(filp, cmd, file_lock); ++ WARN_ON_ONCE(error); ++ error = -EBADF; ++ } + } +- + out: + locks_free_lock(file_lock); + return error; +diff --git a/include/linux/ata.h b/include/linux/ata.h +index f2f4d8da97c0..f7ff6554a354 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -484,8 +484,8 @@ enum ata_tf_protocols { + }; + + enum ata_ioctls { +- ATA_IOC_GET_IO32 = 0x309, +- ATA_IOC_SET_IO32 = 0x324, ++ ATA_IOC_GET_IO32 = 0x309, /* HDIO_GET_32BIT */ ++ ATA_IOC_SET_IO32 = 0x324, /* HDIO_SET_32BIT */ + }; + + /* core structures */ +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 189c9ff97b29..a445209be917 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -712,7 +712,7 @@ struct ata_device { + union { + u16 id[ATA_ID_WORDS]; /* IDENTIFY xxx DEVICE data */ + u32 gscr[SATA_PMP_GSCR_DWORDS]; /* PMP GSCR block */ +- }; ++ } ____cacheline_aligned; + + /* DEVSLP Timing Variables from Identify Device Data Log */ + u8 devslp_timing[ATA_LOG_DEVSLP_SIZE]; +diff --git a/include/target/iscsi/iscsi_transport.h b/include/target/iscsi/iscsi_transport.h +index d1fb912740f3..0d7a62fea895 100644 +--- a/include/target/iscsi/iscsi_transport.h ++++ b/include/target/iscsi/iscsi_transport.h +@@ -21,6 +21,7 @@ struct iscsit_transport { + int (*iscsit_get_dataout)(struct iscsi_conn *, struct iscsi_cmd *, bool); + int (*iscsit_queue_data_in)(struct iscsi_conn *, struct iscsi_cmd *); + int (*iscsit_queue_status)(struct iscsi_conn *, struct iscsi_cmd *); ++ void (*iscsit_aborted_task)(struct iscsi_conn *, struct iscsi_cmd *); + }; + + static inline void *iscsit_priv_cmd(struct iscsi_cmd *cmd) +diff --git a/include/target/target_core_backend.h b/include/target/target_core_backend.h +index f5915b39386a..522ae25a61a7 100644 +--- a/include/target/target_core_backend.h ++++ b/include/target/target_core_backend.h +@@ -94,4 +94,8 @@ sense_reason_t transport_generic_map_mem_to_cmd(struct se_cmd *, + + void array_free(void *array, int n); + ++sector_t target_to_linux_sector(struct se_device *dev, sector_t lb); ++bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib, ++ struct request_queue *q, int block_size); ++ + #endif /* TARGET_CORE_BACKEND_H */ +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index 42606764d830..3beb2fed86aa 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -162,7 +162,7 @@ enum se_cmd_flags_table { + SCF_SENT_CHECK_CONDITION = 0x00000800, + SCF_OVERFLOW_BIT = 0x00001000, + SCF_UNDERFLOW_BIT = 0x00002000, +- SCF_SENT_DELAYED_TAS = 0x00004000, ++ SCF_SEND_DELAYED_TAS = 0x00004000, + SCF_ALUA_NON_OPTIMIZED = 0x00008000, + SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC = 0x00020000, + SCF_ACK_KREF = 0x00040000, +@@ -528,6 +528,8 @@ struct se_cmd { + #define CMD_T_DEV_ACTIVE (1 << 7) + #define CMD_T_REQUEST_STOP (1 << 8) + #define CMD_T_BUSY (1 << 9) ++#define CMD_T_TAS (1 << 10) ++#define CMD_T_FABRIC_STOP (1 << 11) + spinlock_t t_state_lock; + struct completion t_transport_stop_comp; + +diff --git a/include/target/target_core_fabric.h b/include/target/target_core_fabric.h +index 0218d689b3d7..1d1043644b9b 100644 +--- a/include/target/target_core_fabric.h ++++ b/include/target/target_core_fabric.h +@@ -62,6 +62,7 @@ struct target_core_fabric_ops { + int (*queue_data_in)(struct se_cmd *); + int (*queue_status)(struct se_cmd *); + void (*queue_tm_rsp)(struct se_cmd *); ++ void (*aborted_task)(struct se_cmd *); + /* + * fabric module calls for target_core_fabric_configfs.c + */ +diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c +index 2bb95a7a8809..c14565bde887 100644 +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -170,6 +170,19 @@ struct snd_ctl_elem_value32 { + unsigned char reserved[128]; + }; + ++#ifdef CONFIG_X86_X32 ++/* x32 has a different alignment for 64bit values from ia32 */ ++struct snd_ctl_elem_value_x32 { ++ struct snd_ctl_elem_id id; ++ unsigned int indirect; /* bit-field causes misalignment */ ++ union { ++ s32 integer[128]; ++ unsigned char data[512]; ++ s64 integer64[64]; ++ } value; ++ unsigned char reserved[128]; ++}; ++#endif /* CONFIG_X86_X32 */ + + /* get the value type and count of the control */ + static int get_ctl_type(struct snd_card *card, struct snd_ctl_elem_id *id, +@@ -219,9 +232,11 @@ static int get_elem_size(int type, int count) + + static int copy_ctl_value_from_user(struct snd_card *card, + struct snd_ctl_elem_value *data, +- struct snd_ctl_elem_value32 __user *data32, ++ void __user *userdata, ++ void __user *valuep, + int *typep, int *countp) + { ++ struct snd_ctl_elem_value32 __user *data32 = userdata; + int i, type, size; + int uninitialized_var(count); + unsigned int indirect; +@@ -239,8 +254,9 @@ static int copy_ctl_value_from_user(struct snd_card *card, + if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || + type == SNDRV_CTL_ELEM_TYPE_INTEGER) { + for (i = 0; i < count; i++) { ++ s32 __user *intp = valuep; + int val; +- if (get_user(val, &data32->value.integer[i])) ++ if (get_user(val, &intp[i])) + return -EFAULT; + data->value.integer.value[i] = val; + } +@@ -250,8 +266,7 @@ static int copy_ctl_value_from_user(struct snd_card *card, + printk(KERN_ERR "snd_ioctl32_ctl_elem_value: unknown type %d\n", type); + return -EINVAL; + } +- if (copy_from_user(data->value.bytes.data, +- data32->value.data, size)) ++ if (copy_from_user(data->value.bytes.data, valuep, size)) + return -EFAULT; + } + +@@ -261,7 +276,8 @@ static int copy_ctl_value_from_user(struct snd_card *card, + } + + /* restore the value to 32bit */ +-static int copy_ctl_value_to_user(struct snd_ctl_elem_value32 __user *data32, ++static int copy_ctl_value_to_user(void __user *userdata, ++ void __user *valuep, + struct snd_ctl_elem_value *data, + int type, int count) + { +@@ -270,22 +286,22 @@ static int copy_ctl_value_to_user(struct snd_ctl_elem_value32 __user *data32, + if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || + type == SNDRV_CTL_ELEM_TYPE_INTEGER) { + for (i = 0; i < count; i++) { ++ s32 __user *intp = valuep; + int val; + val = data->value.integer.value[i]; +- if (put_user(val, &data32->value.integer[i])) ++ if (put_user(val, &intp[i])) + return -EFAULT; + } + } else { + size = get_elem_size(type, count); +- if (copy_to_user(data32->value.data, +- data->value.bytes.data, size)) ++ if (copy_to_user(valuep, data->value.bytes.data, size)) + return -EFAULT; + } + return 0; + } + +-static int snd_ctl_elem_read_user_compat(struct snd_card *card, +- struct snd_ctl_elem_value32 __user *data32) ++static int ctl_elem_read_user(struct snd_card *card, ++ void __user *userdata, void __user *valuep) + { + struct snd_ctl_elem_value *data; + int err, type, count; +@@ -294,7 +310,9 @@ static int snd_ctl_elem_read_user_compat(struct snd_card *card, + if (data == NULL) + return -ENOMEM; + +- if ((err = copy_ctl_value_from_user(card, data, data32, &type, &count)) < 0) ++ err = copy_ctl_value_from_user(card, data, userdata, valuep, ++ &type, &count); ++ if (err < 0) + goto error; + + snd_power_lock(card); +@@ -303,14 +321,15 @@ static int snd_ctl_elem_read_user_compat(struct snd_card *card, + err = snd_ctl_elem_read(card, data); + snd_power_unlock(card); + if (err >= 0) +- err = copy_ctl_value_to_user(data32, data, type, count); ++ err = copy_ctl_value_to_user(userdata, valuep, data, ++ type, count); + error: + kfree(data); + return err; + } + +-static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, +- struct snd_ctl_elem_value32 __user *data32) ++static int ctl_elem_write_user(struct snd_ctl_file *file, ++ void __user *userdata, void __user *valuep) + { + struct snd_ctl_elem_value *data; + struct snd_card *card = file->card; +@@ -320,7 +339,9 @@ static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, + if (data == NULL) + return -ENOMEM; + +- if ((err = copy_ctl_value_from_user(card, data, data32, &type, &count)) < 0) ++ err = copy_ctl_value_from_user(card, data, userdata, valuep, ++ &type, &count); ++ if (err < 0) + goto error; + + snd_power_lock(card); +@@ -329,12 +350,39 @@ static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, + err = snd_ctl_elem_write(card, file, data); + snd_power_unlock(card); + if (err >= 0) +- err = copy_ctl_value_to_user(data32, data, type, count); ++ err = copy_ctl_value_to_user(userdata, valuep, data, ++ type, count); + error: + kfree(data); + return err; + } + ++static int snd_ctl_elem_read_user_compat(struct snd_card *card, ++ struct snd_ctl_elem_value32 __user *data32) ++{ ++ return ctl_elem_read_user(card, data32, &data32->value); ++} ++ ++static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, ++ struct snd_ctl_elem_value32 __user *data32) ++{ ++ return ctl_elem_write_user(file, data32, &data32->value); ++} ++ ++#ifdef CONFIG_X86_X32 ++static int snd_ctl_elem_read_user_x32(struct snd_card *card, ++ struct snd_ctl_elem_value_x32 __user *data32) ++{ ++ return ctl_elem_read_user(card, data32, &data32->value); ++} ++ ++static int snd_ctl_elem_write_user_x32(struct snd_ctl_file *file, ++ struct snd_ctl_elem_value_x32 __user *data32) ++{ ++ return ctl_elem_write_user(file, data32, &data32->value); ++} ++#endif /* CONFIG_X86_X32 */ ++ + /* add or replace a user control */ + static int snd_ctl_elem_add_compat(struct snd_ctl_file *file, + struct snd_ctl_elem_info32 __user *data32, +@@ -393,6 +441,10 @@ enum { + SNDRV_CTL_IOCTL_ELEM_WRITE32 = _IOWR('U', 0x13, struct snd_ctl_elem_value32), + SNDRV_CTL_IOCTL_ELEM_ADD32 = _IOWR('U', 0x17, struct snd_ctl_elem_info32), + SNDRV_CTL_IOCTL_ELEM_REPLACE32 = _IOWR('U', 0x18, struct snd_ctl_elem_info32), ++#ifdef CONFIG_X86_X32 ++ SNDRV_CTL_IOCTL_ELEM_READ_X32 = _IOWR('U', 0x12, struct snd_ctl_elem_value_x32), ++ SNDRV_CTL_IOCTL_ELEM_WRITE_X32 = _IOWR('U', 0x13, struct snd_ctl_elem_value_x32), ++#endif /* CONFIG_X86_X32 */ + }; + + static inline long snd_ctl_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) +@@ -431,6 +483,12 @@ static inline long snd_ctl_ioctl_compat(struct file *file, unsigned int cmd, uns + return snd_ctl_elem_add_compat(ctl, argp, 0); + case SNDRV_CTL_IOCTL_ELEM_REPLACE32: + return snd_ctl_elem_add_compat(ctl, argp, 1); ++#ifdef CONFIG_X86_X32 ++ case SNDRV_CTL_IOCTL_ELEM_READ_X32: ++ return snd_ctl_elem_read_user_x32(ctl->card, argp); ++ case SNDRV_CTL_IOCTL_ELEM_WRITE_X32: ++ return snd_ctl_elem_write_user_x32(ctl, argp); ++#endif /* CONFIG_X86_X32 */ + } + + down_read(&snd_ioctl_rwsem); +diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c +index 5268c1f58c25..09a89094dcf7 100644 +--- a/sound/core/rawmidi_compat.c ++++ b/sound/core/rawmidi_compat.c +@@ -94,9 +94,58 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile, + return 0; + } + ++#ifdef CONFIG_X86_X32 ++/* X32 ABI has 64bit timespec and 64bit alignment */ ++struct snd_rawmidi_status_x32 { ++ s32 stream; ++ u32 rsvd; /* alignment */ ++ struct timespec tstamp; ++ u32 avail; ++ u32 xruns; ++ unsigned char reserved[16]; ++} __attribute__((packed)); ++ ++#define put_timespec(src, dst) copy_to_user(dst, src, sizeof(*dst)) ++ ++static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile, ++ struct snd_rawmidi_status_x32 __user *src) ++{ ++ int err; ++ struct snd_rawmidi_status status; ++ ++ if (rfile->output == NULL) ++ return -EINVAL; ++ if (get_user(status.stream, &src->stream)) ++ return -EFAULT; ++ ++ switch (status.stream) { ++ case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ err = snd_rawmidi_output_status(rfile->output, &status); ++ break; ++ case SNDRV_RAWMIDI_STREAM_INPUT: ++ err = snd_rawmidi_input_status(rfile->input, &status); ++ break; ++ default: ++ return -EINVAL; ++ } ++ if (err < 0) ++ return err; ++ ++ if (put_timespec(&status.tstamp, &src->tstamp) || ++ put_user(status.avail, &src->avail) || ++ put_user(status.xruns, &src->xruns)) ++ return -EFAULT; ++ ++ return 0; ++} ++#endif /* CONFIG_X86_X32 */ ++ + enum { + SNDRV_RAWMIDI_IOCTL_PARAMS32 = _IOWR('W', 0x10, struct snd_rawmidi_params32), + SNDRV_RAWMIDI_IOCTL_STATUS32 = _IOWR('W', 0x20, struct snd_rawmidi_status32), ++#ifdef CONFIG_X86_X32 ++ SNDRV_RAWMIDI_IOCTL_STATUS_X32 = _IOWR('W', 0x20, struct snd_rawmidi_status_x32), ++#endif /* CONFIG_X86_X32 */ + }; + + static long snd_rawmidi_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) +@@ -115,6 +164,10 @@ static long snd_rawmidi_ioctl_compat(struct file *file, unsigned int cmd, unsign + return snd_rawmidi_ioctl_params_compat(rfile, argp); + case SNDRV_RAWMIDI_IOCTL_STATUS32: + return snd_rawmidi_ioctl_status_compat(rfile, argp); ++#ifdef CONFIG_X86_X32 ++ case SNDRV_RAWMIDI_IOCTL_STATUS_X32: ++ return snd_rawmidi_ioctl_status_x32(rfile, argp); ++#endif /* CONFIG_X86_X32 */ + } + return -ENOIOCTLCMD; + } +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c +index 8d4d5e853efe..ab774954c985 100644 +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -150,8 +150,6 @@ odev_release(struct inode *inode, struct file *file) + if ((dp = file->private_data) == NULL) + return 0; + +- snd_seq_oss_drain_write(dp); +- + mutex_lock(®ister_mutex); + snd_seq_oss_release(dp); + mutex_unlock(®ister_mutex); +diff --git a/sound/core/seq/oss/seq_oss_device.h b/sound/core/seq/oss/seq_oss_device.h +index c0154a959d55..2464112b08ad 100644 +--- a/sound/core/seq/oss/seq_oss_device.h ++++ b/sound/core/seq/oss/seq_oss_device.h +@@ -131,7 +131,6 @@ int snd_seq_oss_write(struct seq_oss_devinfo *dp, const char __user *buf, int co + unsigned int snd_seq_oss_poll(struct seq_oss_devinfo *dp, struct file *file, poll_table * wait); + + void snd_seq_oss_reset(struct seq_oss_devinfo *dp); +-void snd_seq_oss_drain_write(struct seq_oss_devinfo *dp); + + /* */ + void snd_seq_oss_process_queue(struct seq_oss_devinfo *dp, abstime_t time); +diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c +index b3f39b5ed742..f9e09e458227 100644 +--- a/sound/core/seq/oss/seq_oss_init.c ++++ b/sound/core/seq/oss/seq_oss_init.c +@@ -457,23 +457,6 @@ snd_seq_oss_release(struct seq_oss_devinfo *dp) + + + /* +- * Wait until the queue is empty (if we don't have nonblock) +- */ +-void +-snd_seq_oss_drain_write(struct seq_oss_devinfo *dp) +-{ +- if (! dp->timer->running) +- return; +- if (is_write_mode(dp->file_mode) && !is_nonblock_mode(dp->file_mode) && +- dp->writeq) { +- debug_printk(("syncing..\n")); +- while (snd_seq_oss_writeq_sync(dp->writeq)) +- ; +- } +-} +- +- +-/* + * reset sequencer devices + */ + void +diff --git a/sound/core/timer_compat.c b/sound/core/timer_compat.c +index e05802ae6e1b..2e908225d754 100644 +--- a/sound/core/timer_compat.c ++++ b/sound/core/timer_compat.c +@@ -70,13 +70,14 @@ static int snd_timer_user_status_compat(struct file *file, + struct snd_timer_status32 __user *_status) + { + struct snd_timer_user *tu; +- struct snd_timer_status status; ++ struct snd_timer_status32 status; + + tu = file->private_data; + if (snd_BUG_ON(!tu->timeri)) + return -ENXIO; + memset(&status, 0, sizeof(status)); +- status.tstamp = tu->tstamp; ++ status.tstamp.tv_sec = tu->tstamp.tv_sec; ++ status.tstamp.tv_nsec = tu->tstamp.tv_nsec; + status.resolution = snd_timer_resolution(tu->timeri); + status.lost = tu->timeri->lost; + status.overrun = tu->overrun; +@@ -88,12 +89,21 @@ static int snd_timer_user_status_compat(struct file *file, + return 0; + } + ++#ifdef CONFIG_X86_X32 ++/* X32 ABI has the same struct as x86-64 */ ++#define snd_timer_user_status_x32(file, s) \ ++ snd_timer_user_status(file, s) ++#endif /* CONFIG_X86_X32 */ ++ + /* + */ + + enum { + SNDRV_TIMER_IOCTL_INFO32 = _IOR('T', 0x11, struct snd_timer_info32), + SNDRV_TIMER_IOCTL_STATUS32 = _IOW('T', 0x14, struct snd_timer_status32), ++#ifdef CONFIG_X86_X32 ++ SNDRV_TIMER_IOCTL_STATUS_X32 = _IOW('T', 0x14, struct snd_timer_status), ++#endif /* CONFIG_X86_X32 */ + }; + + static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) +@@ -122,6 +132,10 @@ static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, uns + return snd_timer_user_info_compat(file, argp); + case SNDRV_TIMER_IOCTL_STATUS32: + return snd_timer_user_status_compat(file, argp); ++#ifdef CONFIG_X86_X32 ++ case SNDRV_TIMER_IOCTL_STATUS_X32: ++ return snd_timer_user_status_x32(file, argp); ++#endif /* CONFIG_X86_X32 */ + } + return -ENOIOCTLCMD; + } +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index bd90c80bb494..4bc0d66377d6 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -2917,7 +2917,7 @@ static int snd_hdsp_get_dds_offset(struct snd_kcontrol *kcontrol, struct snd_ctl + { + struct hdsp *hdsp = snd_kcontrol_chip(kcontrol); + +- ucontrol->value.enumerated.item[0] = hdsp_dds_offset(hdsp); ++ ucontrol->value.integer.value[0] = hdsp_dds_offset(hdsp); + return 0; + } + +@@ -2929,7 +2929,7 @@ static int snd_hdsp_put_dds_offset(struct snd_kcontrol *kcontrol, struct snd_ctl + + if (!snd_hdsp_use_is_exclusive(hdsp)) + return -EBUSY; +- val = ucontrol->value.enumerated.item[0]; ++ val = ucontrol->value.integer.value[0]; + spin_lock_irq(&hdsp->lock); + if (val != hdsp_dds_offset(hdsp)) + change = (hdsp_set_dds_offset(hdsp, val) == 0) ? 1 : 0; +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 21167503a3f9..dec173081798 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -1602,6 +1602,9 @@ static void hdspm_set_dds_value(struct hdspm *hdspm, int rate) + { + u64 n; + ++ if (snd_BUG_ON(rate <= 0)) ++ return; ++ + if (rate >= 112000) + rate /= 4; + else if (rate >= 56000) +@@ -2224,6 +2227,8 @@ static int hdspm_get_system_sample_rate(struct hdspm *hdspm) + } else { + /* slave mode, return external sample rate */ + rate = hdspm_external_sample_rate(hdspm); ++ if (!rate) ++ rate = hdspm->system_sample_rate; + } + } + +@@ -2269,8 +2274,11 @@ static int snd_hdspm_put_system_sample_rate(struct snd_kcontrol *kcontrol, + ucontrol) + { + struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); ++ int rate = ucontrol->value.integer.value[0]; + +- hdspm_set_dds_value(hdspm, ucontrol->value.enumerated.item[0]); ++ if (rate < 27000 || rate > 207000) ++ return -EINVAL; ++ hdspm_set_dds_value(hdspm, ucontrol->value.integer.value[0]); + return 0; + } + +@@ -4469,7 +4477,7 @@ static int snd_hdspm_get_tco_word_term(struct snd_kcontrol *kcontrol, + { + struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); + +- ucontrol->value.enumerated.item[0] = hdspm->tco->term; ++ ucontrol->value.integer.value[0] = hdspm->tco->term; + + return 0; + } +@@ -4480,8 +4488,8 @@ static int snd_hdspm_put_tco_word_term(struct snd_kcontrol *kcontrol, + { + struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); + +- if (hdspm->tco->term != ucontrol->value.enumerated.item[0]) { +- hdspm->tco->term = ucontrol->value.enumerated.item[0]; ++ if (hdspm->tco->term != ucontrol->value.integer.value[0]) { ++ hdspm->tco->term = ucontrol->value.integer.value[0]; + + hdspm_tco_write(hdspm); + diff --git a/patch/kernel/cubox-dev/patch-3.14.64-65.patch b/patch/kernel/cubox-dev/patch-3.14.64-65.patch new file mode 100644 index 000000000..73548c75e --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.64-65.patch @@ -0,0 +1,1518 @@ +diff --git a/Documentation/filesystems/efivarfs.txt b/Documentation/filesystems/efivarfs.txt +index c477af086e65..686a64bba775 100644 +--- a/Documentation/filesystems/efivarfs.txt ++++ b/Documentation/filesystems/efivarfs.txt +@@ -14,3 +14,10 @@ filesystem. + efivarfs is typically mounted like this, + + mount -t efivarfs none /sys/firmware/efi/efivars ++ ++Due to the presence of numerous firmware bugs where removing non-standard ++UEFI variables causes the system firmware to fail to POST, efivarfs ++files that are not well-known standardized variables are created ++as immutable files. This doesn't prevent removal - "chattr -i" will work - ++but it does prevent this kind of failure from being accomplished ++accidentally. +diff --git a/Makefile b/Makefile +index de41fa82652f..a19c22a77728 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 64 ++SUBLEVEL = 65 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c +index 12664c130d73..78a859ec4946 100644 +--- a/arch/powerpc/kernel/module_64.c ++++ b/arch/powerpc/kernel/module_64.c +@@ -202,7 +202,7 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab) + if (syms[i].st_shndx == SHN_UNDEF) { + char *name = strtab + syms[i].st_name; + if (name[0] == '.') +- memmove(name, name+1, strlen(name)); ++ syms[i].st_name++; + } + } + } +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index b3bad672e5d9..87fa70f8472a 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1148,6 +1148,20 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + std r6, VCPU_ACOP(r9) + stw r7, VCPU_GUEST_PID(r9) + std r8, VCPU_WORT(r9) ++ /* ++ * Restore various registers to 0, where non-zero values ++ * set by the guest could disrupt the host. ++ */ ++ li r0, 0 ++ mtspr SPRN_IAMR, r0 ++ mtspr SPRN_CIABR, r0 ++ mtspr SPRN_DAWRX, r0 ++ mtspr SPRN_TCSCR, r0 ++ mtspr SPRN_WORT, r0 ++ /* Set MMCRS to 1<<31 to freeze and disable the SPMC counters */ ++ li r0, 1 ++ sldi r0, r0, 31 ++ mtspr SPRN_MMCRS, r0 + 8: + + /* Save and reset AMR and UAMOR before turning on the MMU */ +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 80c22a3ca688..b6fc5fc64cef 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1555,6 +1555,13 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr, + return; + } + break; ++ case MSR_IA32_PEBS_ENABLE: ++ /* PEBS needs a quiescent period after being disabled (to write ++ * a record). Disabling PEBS through VMX MSR swapping doesn't ++ * provide that period, so a CPU could write host's record into ++ * guest's memory. ++ */ ++ wrmsrl(MSR_IA32_PEBS_ENABLE, 0); + } + + for (i = 0; i < m->nr; ++i) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 1777f89875fb..8db66424be97 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1991,6 +1991,8 @@ static void accumulate_steal_time(struct kvm_vcpu *vcpu) + + static void record_steal_time(struct kvm_vcpu *vcpu) + { ++ accumulate_steal_time(vcpu); ++ + if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) + return; + +@@ -2123,12 +2125,6 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + if (!(data & KVM_MSR_ENABLED)) + break; + +- vcpu->arch.st.last_steal = current->sched_info.run_delay; +- +- preempt_disable(); +- accumulate_steal_time(vcpu); +- preempt_enable(); +- + kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); + + break; +@@ -2818,7 +2814,6 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu) + vcpu->cpu = cpu; + } + +- accumulate_steal_time(vcpu); + kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); + } + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 1971f3ccb09a..eeb2fb239934 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -125,23 +125,6 @@ int af_alg_release(struct socket *sock) + } + EXPORT_SYMBOL_GPL(af_alg_release); + +-void af_alg_release_parent(struct sock *sk) +-{ +- struct alg_sock *ask = alg_sk(sk); +- bool last; +- +- sk = ask->parent; +- ask = alg_sk(sk); +- +- lock_sock(sk); +- last = !--ask->refcnt; +- release_sock(sk); +- +- if (last) +- sock_put(sk); +-} +-EXPORT_SYMBOL_GPL(af_alg_release_parent); +- + static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { + struct sock *sk = sock->sk; +@@ -149,7 +132,6 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct sockaddr_alg *sa = (void *)uaddr; + const struct af_alg_type *type; + void *private; +- int err; + + if (sock->state == SS_CONNECTED) + return -EINVAL; +@@ -175,22 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + return PTR_ERR(private); + } + +- err = -EBUSY; + lock_sock(sk); +- if (ask->refcnt) +- goto unlock; + + swap(ask->type, type); + swap(ask->private, private); + +- err = 0; +- +-unlock: + release_sock(sk); + + alg_do_release(type, private); + +- return err; ++ return 0; + } + + static int alg_setkey(struct sock *sk, char __user *ukey, +@@ -223,15 +199,11 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + const struct af_alg_type *type; +- int err = -EBUSY; ++ int err = -ENOPROTOOPT; + + lock_sock(sk); +- if (ask->refcnt) +- goto unlock; +- + type = ask->type; + +- err = -ENOPROTOOPT; + if (level != SOL_ALG || !type) + goto unlock; + +@@ -280,8 +252,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sk2->sk_family = PF_ALG; + +- if (!ask->refcnt++) +- sock_hold(sk); ++ sock_hold(sk); + alg_sk(sk2)->parent = sk; + alg_sk(sk2)->type = type; + +diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c +index 3dc248239197..f04ce007bf7f 100644 +--- a/drivers/firmware/efi/efivars.c ++++ b/drivers/firmware/efi/efivars.c +@@ -219,7 +219,8 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) + } + + if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || +- efivar_validate(new_var, new_var->Data, new_var->DataSize) == false) { ++ efivar_validate(new_var->VendorGuid, new_var->VariableName, ++ new_var->Data, new_var->DataSize) == false) { + printk(KERN_ERR "efivars: Malformed variable content\n"); + return -EINVAL; + } +@@ -334,7 +335,8 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, + return -EACCES; + + if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || +- efivar_validate(new_var, new_var->Data, new_var->DataSize) == false) { ++ efivar_validate(new_var->VendorGuid, new_var->VariableName, ++ new_var->Data, new_var->DataSize) == false) { + printk(KERN_ERR "efivars: Malformed variable content\n"); + return -EINVAL; + } +@@ -409,35 +411,27 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) + { + int i, short_name_size; + char *short_name; +- unsigned long variable_name_size; +- efi_char16_t *variable_name; +- +- variable_name = new_var->var.VariableName; +- variable_name_size = ucs2_strlen(variable_name) * sizeof(efi_char16_t); ++ unsigned long utf8_name_size; ++ efi_char16_t *variable_name = new_var->var.VariableName; + + /* +- * Length of the variable bytes in ASCII, plus the '-' separator, ++ * Length of the variable bytes in UTF8, plus the '-' separator, + * plus the GUID, plus trailing NUL + */ +- short_name_size = variable_name_size / sizeof(efi_char16_t) +- + 1 + EFI_VARIABLE_GUID_LEN + 1; +- +- short_name = kzalloc(short_name_size, GFP_KERNEL); ++ utf8_name_size = ucs2_utf8size(variable_name); ++ short_name_size = utf8_name_size + 1 + EFI_VARIABLE_GUID_LEN + 1; + ++ short_name = kmalloc(short_name_size, GFP_KERNEL); + if (!short_name) + return 1; + +- /* Convert Unicode to normal chars (assume top bits are 0), +- ala UTF-8 */ +- for (i=0; i < (int)(variable_name_size / sizeof(efi_char16_t)); i++) { +- short_name[i] = variable_name[i] & 0xFF; +- } ++ ucs2_as_utf8(short_name, variable_name, short_name_size); ++ + /* This is ugly, but necessary to separate one vendor's + private variables from another's. */ +- +- *(short_name + strlen(short_name)) = '-'; ++ short_name[utf8_name_size] = '-'; + efi_guid_unparse(&new_var->var.VendorGuid, +- short_name + strlen(short_name)); ++ short_name + utf8_name_size + 1); + + new_var->kobj.kset = efivars_kset; + +diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c +index e6125522860a..4e2f46938bf0 100644 +--- a/drivers/firmware/efi/vars.c ++++ b/drivers/firmware/efi/vars.c +@@ -42,7 +42,7 @@ DECLARE_WORK(efivar_work, NULL); + EXPORT_SYMBOL_GPL(efivar_work); + + static bool +-validate_device_path(struct efi_variable *var, int match, u8 *buffer, ++validate_device_path(efi_char16_t *var_name, int match, u8 *buffer, + unsigned long len) + { + struct efi_generic_dev_path *node; +@@ -75,7 +75,7 @@ validate_device_path(struct efi_variable *var, int match, u8 *buffer, + } + + static bool +-validate_boot_order(struct efi_variable *var, int match, u8 *buffer, ++validate_boot_order(efi_char16_t *var_name, int match, u8 *buffer, + unsigned long len) + { + /* An array of 16-bit integers */ +@@ -86,18 +86,18 @@ validate_boot_order(struct efi_variable *var, int match, u8 *buffer, + } + + static bool +-validate_load_option(struct efi_variable *var, int match, u8 *buffer, ++validate_load_option(efi_char16_t *var_name, int match, u8 *buffer, + unsigned long len) + { + u16 filepathlength; + int i, desclength = 0, namelen; + +- namelen = ucs2_strnlen(var->VariableName, sizeof(var->VariableName)); ++ namelen = ucs2_strnlen(var_name, EFI_VAR_NAME_LEN); + + /* Either "Boot" or "Driver" followed by four digits of hex */ + for (i = match; i < match+4; i++) { +- if (var->VariableName[i] > 127 || +- hex_to_bin(var->VariableName[i] & 0xff) < 0) ++ if (var_name[i] > 127 || ++ hex_to_bin(var_name[i] & 0xff) < 0) + return true; + } + +@@ -132,12 +132,12 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, + /* + * And, finally, check the filepath + */ +- return validate_device_path(var, match, buffer + desclength + 6, ++ return validate_device_path(var_name, match, buffer + desclength + 6, + filepathlength); + } + + static bool +-validate_uint16(struct efi_variable *var, int match, u8 *buffer, ++validate_uint16(efi_char16_t *var_name, int match, u8 *buffer, + unsigned long len) + { + /* A single 16-bit integer */ +@@ -148,7 +148,7 @@ validate_uint16(struct efi_variable *var, int match, u8 *buffer, + } + + static bool +-validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, ++validate_ascii_string(efi_char16_t *var_name, int match, u8 *buffer, + unsigned long len) + { + int i; +@@ -165,67 +165,133 @@ validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, + } + + struct variable_validate { ++ efi_guid_t vendor; + char *name; +- bool (*validate)(struct efi_variable *var, int match, u8 *data, ++ bool (*validate)(efi_char16_t *var_name, int match, u8 *data, + unsigned long len); + }; + ++/* ++ * This is the list of variables we need to validate, as well as the ++ * whitelist for what we think is safe not to default to immutable. ++ * ++ * If it has a validate() method that's not NULL, it'll go into the ++ * validation routine. If not, it is assumed valid, but still used for ++ * whitelisting. ++ * ++ * Note that it's sorted by {vendor,name}, but globbed names must come after ++ * any other name with the same prefix. ++ */ + static const struct variable_validate variable_validate[] = { +- { "BootNext", validate_uint16 }, +- { "BootOrder", validate_boot_order }, +- { "DriverOrder", validate_boot_order }, +- { "Boot*", validate_load_option }, +- { "Driver*", validate_load_option }, +- { "ConIn", validate_device_path }, +- { "ConInDev", validate_device_path }, +- { "ConOut", validate_device_path }, +- { "ConOutDev", validate_device_path }, +- { "ErrOut", validate_device_path }, +- { "ErrOutDev", validate_device_path }, +- { "Timeout", validate_uint16 }, +- { "Lang", validate_ascii_string }, +- { "PlatformLang", validate_ascii_string }, +- { "", NULL }, ++ { EFI_GLOBAL_VARIABLE_GUID, "BootNext", validate_uint16 }, ++ { EFI_GLOBAL_VARIABLE_GUID, "BootOrder", validate_boot_order }, ++ { EFI_GLOBAL_VARIABLE_GUID, "Boot*", validate_load_option }, ++ { EFI_GLOBAL_VARIABLE_GUID, "DriverOrder", validate_boot_order }, ++ { EFI_GLOBAL_VARIABLE_GUID, "Driver*", validate_load_option }, ++ { EFI_GLOBAL_VARIABLE_GUID, "ConIn", validate_device_path }, ++ { EFI_GLOBAL_VARIABLE_GUID, "ConInDev", validate_device_path }, ++ { EFI_GLOBAL_VARIABLE_GUID, "ConOut", validate_device_path }, ++ { EFI_GLOBAL_VARIABLE_GUID, "ConOutDev", validate_device_path }, ++ { EFI_GLOBAL_VARIABLE_GUID, "ErrOut", validate_device_path }, ++ { EFI_GLOBAL_VARIABLE_GUID, "ErrOutDev", validate_device_path }, ++ { EFI_GLOBAL_VARIABLE_GUID, "Lang", validate_ascii_string }, ++ { EFI_GLOBAL_VARIABLE_GUID, "OsIndications", NULL }, ++ { EFI_GLOBAL_VARIABLE_GUID, "PlatformLang", validate_ascii_string }, ++ { EFI_GLOBAL_VARIABLE_GUID, "Timeout", validate_uint16 }, ++ { LINUX_EFI_CRASH_GUID, "*", NULL }, ++ { NULL_GUID, "", NULL }, + }; + ++static bool ++variable_matches(const char *var_name, size_t len, const char *match_name, ++ int *match) ++{ ++ for (*match = 0; ; (*match)++) { ++ char c = match_name[*match]; ++ char u = var_name[*match]; ++ ++ /* Wildcard in the matching name means we've matched */ ++ if (c == '*') ++ return true; ++ ++ /* Case sensitive match */ ++ if (!c && *match == len) ++ return true; ++ ++ if (c != u) ++ return false; ++ ++ if (!c) ++ return true; ++ } ++ return true; ++} ++ + bool +-efivar_validate(struct efi_variable *var, u8 *data, unsigned long len) ++efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data, ++ unsigned long data_size) + { + int i; +- u16 *unicode_name = var->VariableName; ++ unsigned long utf8_size; ++ u8 *utf8_name; + +- for (i = 0; variable_validate[i].validate != NULL; i++) { +- const char *name = variable_validate[i].name; +- int match; ++ utf8_size = ucs2_utf8size(var_name); ++ utf8_name = kmalloc(utf8_size + 1, GFP_KERNEL); ++ if (!utf8_name) ++ return false; + +- for (match = 0; ; match++) { +- char c = name[match]; +- u16 u = unicode_name[match]; ++ ucs2_as_utf8(utf8_name, var_name, utf8_size); ++ utf8_name[utf8_size] = '\0'; + +- /* All special variables are plain ascii */ +- if (u > 127) +- return true; ++ for (i = 0; variable_validate[i].name[0] != '\0'; i++) { ++ const char *name = variable_validate[i].name; ++ int match = 0; + +- /* Wildcard in the matching name means we've matched */ +- if (c == '*') +- return variable_validate[i].validate(var, +- match, data, len); ++ if (efi_guidcmp(vendor, variable_validate[i].vendor)) ++ continue; + +- /* Case sensitive match */ +- if (c != u) ++ if (variable_matches(utf8_name, utf8_size+1, name, &match)) { ++ if (variable_validate[i].validate == NULL) + break; +- +- /* Reached the end of the string while matching */ +- if (!c) +- return variable_validate[i].validate(var, +- match, data, len); ++ kfree(utf8_name); ++ return variable_validate[i].validate(var_name, match, ++ data, data_size); + } + } +- ++ kfree(utf8_name); + return true; + } + EXPORT_SYMBOL_GPL(efivar_validate); + ++bool ++efivar_variable_is_removable(efi_guid_t vendor, const char *var_name, ++ size_t len) ++{ ++ int i; ++ bool found = false; ++ int match = 0; ++ ++ /* ++ * Check if our variable is in the validated variables list ++ */ ++ for (i = 0; variable_validate[i].name[0] != '\0'; i++) { ++ if (efi_guidcmp(variable_validate[i].vendor, vendor)) ++ continue; ++ ++ if (variable_matches(var_name, len, ++ variable_validate[i].name, &match)) { ++ found = true; ++ break; ++ } ++ } ++ ++ /* ++ * If it's in our list, it is removable. ++ */ ++ return found; ++} ++EXPORT_SYMBOL_GPL(efivar_variable_is_removable); ++ + static efi_status_t + check_var_size(u32 attributes, unsigned long size) + { +@@ -805,7 +871,7 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes, + + *set = false; + +- if (efivar_validate(&entry->var, data, *size) == false) ++ if (efivar_validate(*vendor, name, data, *size) == false) + return -EINVAL; + + /* +diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c +index 8dd524f32284..08f105a06fbf 100644 +--- a/fs/efivarfs/file.c ++++ b/fs/efivarfs/file.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -108,9 +109,79 @@ out_free: + return size; + } + ++static int ++efivarfs_ioc_getxflags(struct file *file, void __user *arg) ++{ ++ struct inode *inode = file->f_mapping->host; ++ unsigned int i_flags; ++ unsigned int flags = 0; ++ ++ i_flags = inode->i_flags; ++ if (i_flags & S_IMMUTABLE) ++ flags |= FS_IMMUTABLE_FL; ++ ++ if (copy_to_user(arg, &flags, sizeof(flags))) ++ return -EFAULT; ++ return 0; ++} ++ ++static int ++efivarfs_ioc_setxflags(struct file *file, void __user *arg) ++{ ++ struct inode *inode = file->f_mapping->host; ++ unsigned int flags; ++ unsigned int i_flags = 0; ++ int error; ++ ++ if (!inode_owner_or_capable(inode)) ++ return -EACCES; ++ ++ if (copy_from_user(&flags, arg, sizeof(flags))) ++ return -EFAULT; ++ ++ if (flags & ~FS_IMMUTABLE_FL) ++ return -EOPNOTSUPP; ++ ++ if (!capable(CAP_LINUX_IMMUTABLE)) ++ return -EPERM; ++ ++ if (flags & FS_IMMUTABLE_FL) ++ i_flags |= S_IMMUTABLE; ++ ++ ++ error = mnt_want_write_file(file); ++ if (error) ++ return error; ++ ++ mutex_lock(&inode->i_mutex); ++ inode->i_flags &= ~S_IMMUTABLE; ++ inode->i_flags |= i_flags; ++ mutex_unlock(&inode->i_mutex); ++ ++ mnt_drop_write_file(file); ++ ++ return 0; ++} ++ ++long ++efivarfs_file_ioctl(struct file *file, unsigned int cmd, unsigned long p) ++{ ++ void __user *arg = (void __user *)p; ++ ++ switch (cmd) { ++ case FS_IOC_GETFLAGS: ++ return efivarfs_ioc_getxflags(file, arg); ++ case FS_IOC_SETFLAGS: ++ return efivarfs_ioc_setxflags(file, arg); ++ } ++ ++ return -ENOTTY; ++} ++ + const struct file_operations efivarfs_file_operations = { + .open = simple_open, + .read = efivarfs_file_read, + .write = efivarfs_file_write, + .llseek = no_llseek, ++ .unlocked_ioctl = efivarfs_file_ioctl, + }; +diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c +index 07ab49745e31..7e7318f10575 100644 +--- a/fs/efivarfs/inode.c ++++ b/fs/efivarfs/inode.c +@@ -15,7 +15,8 @@ + #include "internal.h" + + struct inode *efivarfs_get_inode(struct super_block *sb, +- const struct inode *dir, int mode, dev_t dev) ++ const struct inode *dir, int mode, ++ dev_t dev, bool is_removable) + { + struct inode *inode = new_inode(sb); + +@@ -23,6 +24,7 @@ struct inode *efivarfs_get_inode(struct super_block *sb, + inode->i_ino = get_next_ino(); + inode->i_mode = mode; + inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; ++ inode->i_flags = is_removable ? 0 : S_IMMUTABLE; + switch (mode & S_IFMT) { + case S_IFREG: + inode->i_fop = &efivarfs_file_operations; +@@ -102,22 +104,17 @@ static void efivarfs_hex_to_guid(const char *str, efi_guid_t *guid) + static int efivarfs_create(struct inode *dir, struct dentry *dentry, + umode_t mode, bool excl) + { +- struct inode *inode; ++ struct inode *inode = NULL; + struct efivar_entry *var; + int namelen, i = 0, err = 0; ++ bool is_removable = false; + + if (!efivarfs_valid_name(dentry->d_name.name, dentry->d_name.len)) + return -EINVAL; + +- inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0); +- if (!inode) +- return -ENOMEM; +- + var = kzalloc(sizeof(struct efivar_entry), GFP_KERNEL); +- if (!var) { +- err = -ENOMEM; +- goto out; +- } ++ if (!var) ++ return -ENOMEM; + + /* length of the variable name itself: remove GUID and separator */ + namelen = dentry->d_name.len - EFI_VARIABLE_GUID_LEN - 1; +@@ -125,6 +122,16 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, + efivarfs_hex_to_guid(dentry->d_name.name + namelen + 1, + &var->var.VendorGuid); + ++ if (efivar_variable_is_removable(var->var.VendorGuid, ++ dentry->d_name.name, namelen)) ++ is_removable = true; ++ ++ inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0, is_removable); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out; ++ } ++ + for (i = 0; i < namelen; i++) + var->var.VariableName[i] = dentry->d_name.name[i]; + +@@ -138,7 +145,8 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, + out: + if (err) { + kfree(var); +- iput(inode); ++ if (inode) ++ iput(inode); + } + return err; + } +diff --git a/fs/efivarfs/internal.h b/fs/efivarfs/internal.h +index b5ff16addb7c..b4505188e799 100644 +--- a/fs/efivarfs/internal.h ++++ b/fs/efivarfs/internal.h +@@ -15,7 +15,8 @@ extern const struct file_operations efivarfs_file_operations; + extern const struct inode_operations efivarfs_dir_inode_operations; + extern bool efivarfs_valid_name(const char *str, int len); + extern struct inode *efivarfs_get_inode(struct super_block *sb, +- const struct inode *dir, int mode, dev_t dev); ++ const struct inode *dir, int mode, dev_t dev, ++ bool is_removable); + + extern struct list_head efivarfs_list; + +diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c +index becc725a1953..a3a30f84f917 100644 +--- a/fs/efivarfs/super.c ++++ b/fs/efivarfs/super.c +@@ -118,8 +118,9 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, + struct dentry *dentry, *root = sb->s_root; + unsigned long size = 0; + char *name; +- int len, i; ++ int len; + int err = -ENOMEM; ++ bool is_removable = false; + + entry = kmalloc(sizeof(*entry), GFP_KERNEL); + if (!entry) +@@ -128,15 +129,17 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, + memcpy(entry->var.VariableName, name16, name_size); + memcpy(&(entry->var.VendorGuid), &vendor, sizeof(efi_guid_t)); + +- len = ucs2_strlen(entry->var.VariableName); ++ len = ucs2_utf8size(entry->var.VariableName); + + /* name, plus '-', plus GUID, plus NUL*/ + name = kmalloc(len + 1 + EFI_VARIABLE_GUID_LEN + 1, GFP_KERNEL); + if (!name) + goto fail; + +- for (i = 0; i < len; i++) +- name[i] = entry->var.VariableName[i] & 0xFF; ++ ucs2_as_utf8(name, entry->var.VariableName, len); ++ ++ if (efivar_variable_is_removable(entry->var.VendorGuid, name, len)) ++ is_removable = true; + + name[len] = '-'; + +@@ -144,7 +147,8 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, + + name[len + EFI_VARIABLE_GUID_LEN+1] = '\0'; + +- inode = efivarfs_get_inode(sb, root->d_inode, S_IFREG | 0644, 0); ++ inode = efivarfs_get_inode(sb, root->d_inode, S_IFREG | 0644, 0, ++ is_removable); + if (!inode) + goto fail_name; + +@@ -200,7 +204,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) + sb->s_d_op = &efivarfs_d_ops; + sb->s_time_gran = 1; + +- inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0); ++ inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0, true); + if (!inode) + return -ENOMEM; + inode->i_op = &efivarfs_dir_inode_operations; +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index 2f38daaab3d7..d61c11170213 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -30,8 +30,6 @@ struct alg_sock { + + struct sock *parent; + +- unsigned int refcnt; +- + const struct af_alg_type *type; + void *private; + }; +@@ -66,7 +64,6 @@ int af_alg_register_type(const struct af_alg_type *type); + int af_alg_unregister_type(const struct af_alg_type *type); + + int af_alg_release(struct socket *sock); +-void af_alg_release_parent(struct sock *sk); + int af_alg_accept(struct sock *sk, struct socket *newsock); + + int af_alg_make_sg(struct af_alg_sgl *sgl, void __user *addr, int len, +@@ -83,6 +80,11 @@ static inline struct alg_sock *alg_sk(struct sock *sk) + return (struct alg_sock *)sk; + } + ++static inline void af_alg_release_parent(struct sock *sk) ++{ ++ sock_put(alg_sk(sk)->parent); ++} ++ + static inline void af_alg_init_completion(struct af_alg_completion *completion) + { + init_completion(&completion->completion); +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 0a819e7a60c9..b39a4651360a 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -792,8 +792,10 @@ struct efivars { + * and we use a page for reading/writing. + */ + ++#define EFI_VAR_NAME_LEN 1024 ++ + struct efi_variable { +- efi_char16_t VariableName[1024/sizeof(efi_char16_t)]; ++ efi_char16_t VariableName[EFI_VAR_NAME_LEN/sizeof(efi_char16_t)]; + efi_guid_t VendorGuid; + unsigned long DataSize; + __u8 Data[1024]; +@@ -864,7 +866,10 @@ int efivar_entry_iter(int (*func)(struct efivar_entry *, void *), + struct efivar_entry *efivar_entry_find(efi_char16_t *name, efi_guid_t guid, + struct list_head *head, bool remove); + +-bool efivar_validate(struct efi_variable *var, u8 *data, unsigned long len); ++bool efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data, ++ unsigned long data_size); ++bool efivar_variable_is_removable(efi_guid_t vendor, const char *name, ++ size_t len); + + extern struct work_struct efivar_work; + void efivar_run_worker(void); +diff --git a/include/linux/module.h b/include/linux/module.h +index eaf60ff9ba94..adea1d663a06 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -227,6 +227,12 @@ struct module_ref { + unsigned long decs; + } __attribute((aligned(2 * sizeof(unsigned long)))); + ++struct mod_kallsyms { ++ Elf_Sym *symtab; ++ unsigned int num_symtab; ++ char *strtab; ++}; ++ + struct module { + enum module_state state; + +@@ -314,14 +320,9 @@ struct module { + #endif + + #ifdef CONFIG_KALLSYMS +- /* +- * We keep the symbol and string tables for kallsyms. +- * The core_* fields below are temporary, loader-only (they +- * could really be discarded after module init). +- */ +- Elf_Sym *symtab, *core_symtab; +- unsigned int num_symtab, core_num_syms; +- char *strtab, *core_strtab; ++ /* Protected by RCU and/or module_mutex: use rcu_dereference() */ ++ struct mod_kallsyms *kallsyms; ++ struct mod_kallsyms core_kallsyms; + + /* Section attributes */ + struct module_sect_attrs *sect_attrs; +diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h +index 97c8689c7e51..326f8b238c31 100644 +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -129,9 +129,6 @@ static inline void tracepoint_synchronize_unregister(void) + void *it_func; \ + void *__data; \ + \ +- if (!cpu_online(raw_smp_processor_id())) \ +- return; \ +- \ + if (!(cond)) \ + return; \ + prercu; \ +@@ -265,15 +262,19 @@ static inline void tracepoint_synchronize_unregister(void) + * "void *__data, proto" as the callback prototype. + */ + #define DECLARE_TRACE_NOARGS(name) \ +- __DECLARE_TRACE(name, void, , 1, void *__data, __data) ++ __DECLARE_TRACE(name, void, , \ ++ cpu_online(raw_smp_processor_id()), \ ++ void *__data, __data) + + #define DECLARE_TRACE(name, proto, args) \ +- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), 1, \ +- PARAMS(void *__data, proto), \ +- PARAMS(__data, args)) ++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ ++ cpu_online(raw_smp_processor_id()), \ ++ PARAMS(void *__data, proto), \ ++ PARAMS(__data, args)) + + #define DECLARE_TRACE_CONDITION(name, proto, args, cond) \ +- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), PARAMS(cond), \ ++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ ++ cpu_online(raw_smp_processor_id()) && (PARAMS(cond)), \ + PARAMS(void *__data, proto), \ + PARAMS(__data, args)) + +diff --git a/include/linux/ucs2_string.h b/include/linux/ucs2_string.h +index cbb20afdbc01..bb679b48f408 100644 +--- a/include/linux/ucs2_string.h ++++ b/include/linux/ucs2_string.h +@@ -11,4 +11,8 @@ unsigned long ucs2_strlen(const ucs2_char_t *s); + unsigned long ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength); + int ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len); + ++unsigned long ucs2_utf8size(const ucs2_char_t *src); ++unsigned long ucs2_as_utf8(u8 *dest, const ucs2_char_t *src, ++ unsigned long maxlength); ++ + #endif /* _LINUX_UCS2_STRING_H_ */ +diff --git a/kernel/module.c b/kernel/module.c +index e40617fac8ad..3a311a1d26d7 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -180,6 +180,9 @@ struct load_info { + struct _ddebug *debug; + unsigned int num_debug; + bool sig_ok; ++#ifdef CONFIG_KALLSYMS ++ unsigned long mod_kallsyms_init_off; ++#endif + struct { + unsigned int sym, str, mod, vers, info, pcpu; + } index; +@@ -2320,8 +2323,20 @@ static void layout_symtab(struct module *mod, struct load_info *info) + strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect, + info->index.str) | INIT_OFFSET_MASK; + pr_debug("\t%s\n", info->secstrings + strsect->sh_name); ++ ++ /* We'll tack temporary mod_kallsyms on the end. */ ++ mod->init_size = ALIGN(mod->init_size, ++ __alignof__(struct mod_kallsyms)); ++ info->mod_kallsyms_init_off = mod->init_size; ++ mod->init_size += sizeof(struct mod_kallsyms); ++ mod->init_size = debug_align(mod->init_size); + } + ++/* ++ * We use the full symtab and strtab which layout_symtab arranged to ++ * be appended to the init section. Later we switch to the cut-down ++ * core-only ones. ++ */ + static void add_kallsyms(struct module *mod, const struct load_info *info) + { + unsigned int i, ndst; +@@ -2330,28 +2345,33 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) + char *s; + Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; + +- mod->symtab = (void *)symsec->sh_addr; +- mod->num_symtab = symsec->sh_size / sizeof(Elf_Sym); ++ /* Set up to point into init section. */ ++ mod->kallsyms = mod->module_init + info->mod_kallsyms_init_off; ++ ++ mod->kallsyms->symtab = (void *)symsec->sh_addr; ++ mod->kallsyms->num_symtab = symsec->sh_size / sizeof(Elf_Sym); + /* Make sure we get permanent strtab: don't use info->strtab. */ +- mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr; ++ mod->kallsyms->strtab = (void *)info->sechdrs[info->index.str].sh_addr; + + /* Set types up while we still have access to sections. */ +- for (i = 0; i < mod->num_symtab; i++) +- mod->symtab[i].st_info = elf_type(&mod->symtab[i], info); +- +- mod->core_symtab = dst = mod->module_core + info->symoffs; +- mod->core_strtab = s = mod->module_core + info->stroffs; +- src = mod->symtab; +- for (ndst = i = 0; i < mod->num_symtab; i++) { ++ for (i = 0; i < mod->kallsyms->num_symtab; i++) ++ mod->kallsyms->symtab[i].st_info ++ = elf_type(&mod->kallsyms->symtab[i], info); ++ ++ /* Now populate the cut down core kallsyms for after init. */ ++ mod->core_kallsyms.symtab = dst = mod->module_core + info->symoffs; ++ mod->core_kallsyms.strtab = s = mod->module_core + info->stroffs; ++ src = mod->kallsyms->symtab; ++ for (ndst = i = 0; i < mod->kallsyms->num_symtab; i++) { + if (i == 0 || + is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { + dst[ndst] = src[i]; +- dst[ndst++].st_name = s - mod->core_strtab; +- s += strlcpy(s, &mod->strtab[src[i].st_name], ++ dst[ndst++].st_name = s - mod->core_kallsyms.strtab; ++ s += strlcpy(s, &mod->kallsyms->strtab[src[i].st_name], + KSYM_NAME_LEN) + 1; + } + } +- mod->core_num_syms = ndst; ++ mod->core_kallsyms.num_symtab = ndst; + } + #else + static inline void layout_symtab(struct module *mod, struct load_info *info) +@@ -3089,9 +3109,8 @@ static int do_init_module(struct module *mod) + module_put(mod); + trim_init_extable(mod); + #ifdef CONFIG_KALLSYMS +- mod->num_symtab = mod->core_num_syms; +- mod->symtab = mod->core_symtab; +- mod->strtab = mod->core_strtab; ++ /* Switch to core kallsyms now init is done: kallsyms may be walking! */ ++ rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); + #endif + unset_module_init_ro_nx(mod); + module_free(mod, mod->module_init); +@@ -3381,9 +3400,9 @@ static inline int is_arm_mapping_symbol(const char *str) + && (str[2] == '\0' || str[2] == '.'); + } + +-static const char *symname(struct module *mod, unsigned int symnum) ++static const char *symname(struct mod_kallsyms *kallsyms, unsigned int symnum) + { +- return mod->strtab + mod->symtab[symnum].st_name; ++ return kallsyms->strtab + kallsyms->symtab[symnum].st_name; + } + + static const char *get_ksymbol(struct module *mod, +@@ -3393,6 +3412,7 @@ static const char *get_ksymbol(struct module *mod, + { + unsigned int i, best = 0; + unsigned long nextval; ++ struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms); + + /* At worse, next value is at end of module */ + if (within_module_init(addr, mod)) +@@ -3402,32 +3422,32 @@ static const char *get_ksymbol(struct module *mod, + + /* Scan for closest preceding symbol, and next symbol. (ELF + starts real symbols at 1). */ +- for (i = 1; i < mod->num_symtab; i++) { +- if (mod->symtab[i].st_shndx == SHN_UNDEF) ++ for (i = 1; i < kallsyms->num_symtab; i++) { ++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) + continue; + + /* We ignore unnamed symbols: they're uninformative + * and inserted at a whim. */ +- if (*symname(mod, i) == '\0' +- || is_arm_mapping_symbol(symname(mod, i))) ++ if (*symname(kallsyms, i) == '\0' ++ || is_arm_mapping_symbol(symname(kallsyms, i))) + continue; + +- if (mod->symtab[i].st_value <= addr +- && mod->symtab[i].st_value > mod->symtab[best].st_value) ++ if (kallsyms->symtab[i].st_value <= addr ++ && kallsyms->symtab[i].st_value > kallsyms->symtab[best].st_value) + best = i; +- if (mod->symtab[i].st_value > addr +- && mod->symtab[i].st_value < nextval) +- nextval = mod->symtab[i].st_value; ++ if (kallsyms->symtab[i].st_value > addr ++ && kallsyms->symtab[i].st_value < nextval) ++ nextval = kallsyms->symtab[i].st_value; + } + + if (!best) + return NULL; + + if (size) +- *size = nextval - mod->symtab[best].st_value; ++ *size = nextval - kallsyms->symtab[best].st_value; + if (offset) +- *offset = addr - mod->symtab[best].st_value; +- return symname(mod, best); ++ *offset = addr - kallsyms->symtab[best].st_value; ++ return symname(kallsyms, best); + } + + /* For kallsyms to ask for address resolution. NULL means not found. Careful +@@ -3523,18 +3543,21 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, + + preempt_disable(); + list_for_each_entry_rcu(mod, &modules, list) { ++ struct mod_kallsyms *kallsyms; ++ + if (mod->state == MODULE_STATE_UNFORMED) + continue; +- if (symnum < mod->num_symtab) { +- *value = mod->symtab[symnum].st_value; +- *type = mod->symtab[symnum].st_info; +- strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); ++ kallsyms = rcu_dereference_sched(mod->kallsyms); ++ if (symnum < kallsyms->num_symtab) { ++ *value = kallsyms->symtab[symnum].st_value; ++ *type = kallsyms->symtab[symnum].st_info; ++ strlcpy(name, symname(kallsyms, symnum), KSYM_NAME_LEN); + strlcpy(module_name, mod->name, MODULE_NAME_LEN); + *exported = is_exported(name, *value, mod); + preempt_enable(); + return 0; + } +- symnum -= mod->num_symtab; ++ symnum -= kallsyms->num_symtab; + } + preempt_enable(); + return -ERANGE; +@@ -3543,11 +3566,12 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, + static unsigned long mod_find_symname(struct module *mod, const char *name) + { + unsigned int i; ++ struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms); + +- for (i = 0; i < mod->num_symtab; i++) +- if (strcmp(name, symname(mod, i)) == 0 && +- mod->symtab[i].st_info != 'U') +- return mod->symtab[i].st_value; ++ for (i = 0; i < kallsyms->num_symtab; i++) ++ if (strcmp(name, symname(kallsyms, i)) == 0 && ++ kallsyms->symtab[i].st_info != 'U') ++ return kallsyms->symtab[i].st_value; + return 0; + } + +@@ -3584,11 +3608,14 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, + int ret; + + list_for_each_entry(mod, &modules, list) { ++ /* We hold module_mutex: no need for rcu_dereference_sched */ ++ struct mod_kallsyms *kallsyms = mod->kallsyms; ++ + if (mod->state == MODULE_STATE_UNFORMED) + continue; +- for (i = 0; i < mod->num_symtab; i++) { +- ret = fn(data, symname(mod, i), +- mod, mod->symtab[i].st_value); ++ for (i = 0; i < kallsyms->num_symtab; i++) { ++ ret = fn(data, symname(kallsyms, i), ++ mod, kallsyms->symtab[i].st_value); + if (ret != 0) + return ret; + } +diff --git a/lib/ucs2_string.c b/lib/ucs2_string.c +index 6f500ef2301d..f0b323abb4c6 100644 +--- a/lib/ucs2_string.c ++++ b/lib/ucs2_string.c +@@ -49,3 +49,65 @@ ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len) + } + } + EXPORT_SYMBOL(ucs2_strncmp); ++ ++unsigned long ++ucs2_utf8size(const ucs2_char_t *src) ++{ ++ unsigned long i; ++ unsigned long j = 0; ++ ++ for (i = 0; i < ucs2_strlen(src); i++) { ++ u16 c = src[i]; ++ ++ if (c >= 0x800) ++ j += 3; ++ else if (c >= 0x80) ++ j += 2; ++ else ++ j += 1; ++ } ++ ++ return j; ++} ++EXPORT_SYMBOL(ucs2_utf8size); ++ ++/* ++ * copy at most maxlength bytes of whole utf8 characters to dest from the ++ * ucs2 string src. ++ * ++ * The return value is the number of characters copied, not including the ++ * final NUL character. ++ */ ++unsigned long ++ucs2_as_utf8(u8 *dest, const ucs2_char_t *src, unsigned long maxlength) ++{ ++ unsigned int i; ++ unsigned long j = 0; ++ unsigned long limit = ucs2_strnlen(src, maxlength); ++ ++ for (i = 0; maxlength && i < limit; i++) { ++ u16 c = src[i]; ++ ++ if (c >= 0x800) { ++ if (maxlength < 3) ++ break; ++ maxlength -= 3; ++ dest[j++] = 0xe0 | (c & 0xf000) >> 12; ++ dest[j++] = 0x80 | (c & 0x0fc0) >> 6; ++ dest[j++] = 0x80 | (c & 0x003f); ++ } else if (c >= 0x80) { ++ if (maxlength < 2) ++ break; ++ maxlength -= 2; ++ dest[j++] = 0xc0 | (c & 0x7c0) >> 6; ++ dest[j++] = 0x80 | (c & 0x03f); ++ } else { ++ maxlength -= 1; ++ dest[j++] = c & 0x7f; ++ } ++ } ++ if (maxlength) ++ dest[j] = '\0'; ++ return j; ++} ++EXPORT_SYMBOL(ucs2_as_utf8); +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c +index 31bf2586fb84..864408026202 100644 +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local, + } + + /* prepare A-MPDU MLME for Rx aggregation */ +- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL); ++ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL); + if (!tid_agg_rx) + goto end; + +diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c +index c1b5b73c5b91..c3111e2b6fa0 100644 +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -463,7 +463,7 @@ minstrel_aggr_check(struct ieee80211_sta *pubsta, struct sk_buff *skb) + if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO) + return; + +- ieee80211_start_tx_ba_session(pubsta, tid, 5000); ++ ieee80211_start_tx_ba_session(pubsta, tid, 0); + } + + static void +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index c8717c1d082e..87dd619fb2e9 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = { + + /* IW event code */ + ++static void wireless_nlevent_flush(void) ++{ ++ struct sk_buff *skb; ++ struct net *net; ++ ++ ASSERT_RTNL(); ++ ++ for_each_net(net) { ++ while ((skb = skb_dequeue(&net->wext_nlevents))) ++ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, ++ GFP_KERNEL); ++ } ++} ++ ++static int wext_netdev_notifier_call(struct notifier_block *nb, ++ unsigned long state, void *ptr) ++{ ++ /* ++ * When a netdev changes state in any way, flush all pending messages ++ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after ++ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() ++ * or similar - all of which could otherwise happen due to delays from ++ * schedule_work(). ++ */ ++ wireless_nlevent_flush(); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block wext_netdev_notifier = { ++ .notifier_call = wext_netdev_notifier_call, ++}; ++ + static int __net_init wext_pernet_init(struct net *net) + { + skb_queue_head_init(&net->wext_nlevents); +@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = { + + static int __init wireless_nlevent_init(void) + { +- return register_pernet_subsys(&wext_pernet_ops); ++ int err = register_pernet_subsys(&wext_pernet_ops); ++ ++ if (err) ++ return err; ++ ++ return register_netdevice_notifier(&wext_netdev_notifier); + } + + subsys_initcall(wireless_nlevent_init); +@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); + /* Process events generated by the wireless layer or the driver. */ + static void wireless_nlevent_process(struct work_struct *work) + { +- struct sk_buff *skb; +- struct net *net; +- + rtnl_lock(); +- +- for_each_net(net) { +- while ((skb = skb_dequeue(&net->wext_nlevents))) +- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, +- GFP_KERNEL); +- } +- ++ wireless_nlevent_flush(); + rtnl_unlock(); + } + +diff --git a/sound/soc/codecs/wm8958-dsp2.c b/sound/soc/codecs/wm8958-dsp2.c +index d4248e00160e..4f736197f6ee 100644 +--- a/sound/soc/codecs/wm8958-dsp2.c ++++ b/sound/soc/codecs/wm8958-dsp2.c +@@ -459,7 +459,7 @@ static int wm8958_put_mbc_enum(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -549,7 +549,7 @@ static int wm8958_put_vss_enum(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -582,7 +582,7 @@ static int wm8958_put_vss_hpf_enum(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -749,7 +749,7 @@ static int wm8958_put_enh_eq_enum(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c +index 66aec0c3b7bb..355b07e4fe2a 100644 +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -360,7 +360,7 @@ static int wm8994_put_drc_enum(struct snd_kcontrol *kcontrol, + struct wm8994 *control = wm8994->wm8994; + struct wm8994_pdata *pdata = &control->pdata; + int drc = wm8994_get_drc(kcontrol->id.name); +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + + if (drc < 0) + return drc; +@@ -467,7 +467,7 @@ static int wm8994_put_retune_mobile_enum(struct snd_kcontrol *kcontrol, + struct wm8994 *control = wm8994->wm8994; + struct wm8994_pdata *pdata = &control->pdata; + int block = wm8994_get_retune_mobile_block(kcontrol->id.name); +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + + if (block < 0) + return block; +diff --git a/tools/testing/selftests/efivarfs/efivarfs.sh b/tools/testing/selftests/efivarfs/efivarfs.sh +index 77edcdcc016b..057278448515 100644 +--- a/tools/testing/selftests/efivarfs/efivarfs.sh ++++ b/tools/testing/selftests/efivarfs/efivarfs.sh +@@ -88,7 +88,11 @@ test_delete() + exit 1 + fi + +- rm $file ++ rm $file 2>/dev/null ++ if [ $? -ne 0 ]; then ++ chattr -i $file ++ rm $file ++ fi + + if [ -e $file ]; then + echo "$file couldn't be deleted" >&2 +@@ -111,6 +115,7 @@ test_zero_size_delete() + exit 1 + fi + ++ chattr -i $file + printf "$attrs" > $file + + if [ -e $file ]; then +@@ -141,7 +146,11 @@ test_valid_filenames() + echo "$file could not be created" >&2 + ret=1 + else +- rm $file ++ rm $file 2>/dev/null ++ if [ $? -ne 0 ]; then ++ chattr -i $file ++ rm $file ++ fi + fi + done + +@@ -174,7 +183,11 @@ test_invalid_filenames() + + if [ -e $file ]; then + echo "Creating $file should have failed" >&2 +- rm $file ++ rm $file 2>/dev/null ++ if [ $? -ne 0 ]; then ++ chattr -i $file ++ rm $file ++ fi + ret=1 + fi + done +diff --git a/tools/testing/selftests/efivarfs/open-unlink.c b/tools/testing/selftests/efivarfs/open-unlink.c +index 8c0764407b3c..4af74f733036 100644 +--- a/tools/testing/selftests/efivarfs/open-unlink.c ++++ b/tools/testing/selftests/efivarfs/open-unlink.c +@@ -1,10 +1,68 @@ ++#include + #include + #include + #include + #include ++#include + #include + #include + #include ++#include ++ ++static int set_immutable(const char *path, int immutable) ++{ ++ unsigned int flags; ++ int fd; ++ int rc; ++ int error; ++ ++ fd = open(path, O_RDONLY); ++ if (fd < 0) ++ return fd; ++ ++ rc = ioctl(fd, FS_IOC_GETFLAGS, &flags); ++ if (rc < 0) { ++ error = errno; ++ close(fd); ++ errno = error; ++ return rc; ++ } ++ ++ if (immutable) ++ flags |= FS_IMMUTABLE_FL; ++ else ++ flags &= ~FS_IMMUTABLE_FL; ++ ++ rc = ioctl(fd, FS_IOC_SETFLAGS, &flags); ++ error = errno; ++ close(fd); ++ errno = error; ++ return rc; ++} ++ ++static int get_immutable(const char *path) ++{ ++ unsigned int flags; ++ int fd; ++ int rc; ++ int error; ++ ++ fd = open(path, O_RDONLY); ++ if (fd < 0) ++ return fd; ++ ++ rc = ioctl(fd, FS_IOC_GETFLAGS, &flags); ++ if (rc < 0) { ++ error = errno; ++ close(fd); ++ errno = error; ++ return rc; ++ } ++ close(fd); ++ if (flags & FS_IMMUTABLE_FL) ++ return 1; ++ return 0; ++} + + int main(int argc, char **argv) + { +@@ -27,7 +85,7 @@ int main(int argc, char **argv) + buf[4] = 0; + + /* create a test variable */ +- fd = open(path, O_WRONLY | O_CREAT); ++ fd = open(path, O_WRONLY | O_CREAT, 0600); + if (fd < 0) { + perror("open(O_WRONLY)"); + return EXIT_FAILURE; +@@ -41,6 +99,18 @@ int main(int argc, char **argv) + + close(fd); + ++ rc = get_immutable(path); ++ if (rc < 0) { ++ perror("ioctl(FS_IOC_GETFLAGS)"); ++ return EXIT_FAILURE; ++ } else if (rc) { ++ rc = set_immutable(path, 0); ++ if (rc < 0) { ++ perror("ioctl(FS_IOC_SETFLAGS)"); ++ return EXIT_FAILURE; ++ } ++ } ++ + fd = open(path, O_RDONLY); + if (fd < 0) { + perror("open"); diff --git a/patch/kernel/cubox-dev/patch-3.14.65-66.patch b/patch/kernel/cubox-dev/patch-3.14.65-66.patch new file mode 100644 index 000000000..7abdb61a3 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.65-66.patch @@ -0,0 +1,2248 @@ +diff --git a/Makefile b/Makefile +index a19c22a77728..9053bda13f60 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 65 ++SUBLEVEL = 66 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c +index 29880c9b324e..e22e57298522 100644 +--- a/arch/um/drivers/mconsole_kern.c ++++ b/arch/um/drivers/mconsole_kern.c +@@ -133,7 +133,7 @@ void mconsole_proc(struct mc_request *req) + ptr += strlen("proc"); + ptr = skip_spaces(ptr); + +- file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY); ++ file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY, 0); + if (IS_ERR(file)) { + mconsole_reply(req, "Failed to open file", 1, 0); + printk(KERN_ERR "open /proc/%s: %ld\n", ptr, PTR_ERR(file)); +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index 1d2091a226bc..29559831c94f 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -699,8 +699,8 @@ static inline void entering_irq(void) + + static inline void entering_ack_irq(void) + { +- ack_APIC_irq(); + entering_irq(); ++ ack_APIC_irq(); + } + + static inline void exiting_irq(void) +diff --git a/arch/x86/kernel/cpu/perf_event.h b/arch/x86/kernel/cpu/perf_event.h +index 7876c346ed1a..a614543d3ef5 100644 +--- a/arch/x86/kernel/cpu/perf_event.h ++++ b/arch/x86/kernel/cpu/perf_event.h +@@ -445,6 +445,7 @@ struct x86_pmu { + pebs_active :1, + pebs_broken :1; + int pebs_record_size; ++ int pebs_buffer_size; + void (*drain_pebs)(struct pt_regs *regs); + struct event_constraint *pebs_constraints; + void (*pebs_aliases)(struct perf_event *event); +@@ -703,6 +704,8 @@ void intel_pmu_lbr_init_atom(void); + + void intel_pmu_lbr_init_snb(void); + ++void intel_pmu_pebs_data_source_nhm(void); ++ + int intel_pmu_setup_lbr_filter(struct perf_event *event); + + int p4_pmu_init(void); +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c +index d4c0a0e46040..61cd5200608d 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2411,6 +2411,7 @@ __init int intel_pmu_init(void) + intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = + X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1); + ++ intel_pmu_pebs_data_source_nhm(); + x86_add_quirk(intel_nehalem_quirk); + + pr_cont("Nehalem events, "); +@@ -2472,6 +2473,7 @@ __init int intel_pmu_init(void) + intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = + X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1); + ++ intel_pmu_pebs_data_source_nhm(); + pr_cont("Westmere events, "); + break; + +diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c +index ae96cfa5eddd..da5f0b60a716 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c +@@ -51,7 +51,8 @@ union intel_x86_pebs_dse { + #define OP_LH (P(OP, LOAD) | P(LVL, HIT)) + #define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS)) + +-static const u64 pebs_data_source[] = { ++/* Version for Sandy Bridge and later */ ++static u64 pebs_data_source[] = { + P(OP, LOAD) | P(LVL, MISS) | P(LVL, L3) | P(SNOOP, NA),/* 0x00:ukn L3 */ + OP_LH | P(LVL, L1) | P(SNOOP, NONE), /* 0x01: L1 local */ + OP_LH | P(LVL, LFB) | P(SNOOP, NONE), /* 0x02: LFB hit */ +@@ -70,6 +71,14 @@ static const u64 pebs_data_source[] = { + OP_LH | P(LVL, UNC) | P(SNOOP, NONE), /* 0x0f: uncached */ + }; + ++/* Patch up minor differences in the bits */ ++void __init intel_pmu_pebs_data_source_nhm(void) ++{ ++ pebs_data_source[0x05] = OP_LH | P(LVL, L3) | P(SNOOP, HIT); ++ pebs_data_source[0x06] = OP_LH | P(LVL, L3) | P(SNOOP, HITM); ++ pebs_data_source[0x07] = OP_LH | P(LVL, L3) | P(SNOOP, HITM); ++} ++ + static u64 precise_store_data(u64 status) + { + union intel_x86_pebs_dse dse; +@@ -241,7 +250,7 @@ static int alloc_pebs_buffer(int cpu) + if (!x86_pmu.pebs) + return 0; + +- buffer = kzalloc_node(PEBS_BUFFER_SIZE, GFP_KERNEL, node); ++ buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node); + if (unlikely(!buffer)) + return -ENOMEM; + +@@ -258,7 +267,7 @@ static int alloc_pebs_buffer(int cpu) + per_cpu(insn_buffer, cpu) = ibuffer; + } + +- max = PEBS_BUFFER_SIZE / x86_pmu.pebs_record_size; ++ max = x86_pmu.pebs_buffer_size / x86_pmu.pebs_record_size; + + ds->pebs_buffer_base = (u64)(unsigned long)buffer; + ds->pebs_index = ds->pebs_buffer_base; +@@ -1047,6 +1056,7 @@ void intel_ds_init(void) + + x86_pmu.bts = boot_cpu_has(X86_FEATURE_BTS); + x86_pmu.pebs = boot_cpu_has(X86_FEATURE_PEBS); ++ x86_pmu.pebs_buffer_size = PEBS_BUFFER_SIZE; + if (x86_pmu.pebs) { + char pebs_type = x86_pmu.intel_cap.pebs_trap ? '+' : '-'; + int format = x86_pmu.intel_cap.pebs_format; +@@ -1055,6 +1065,14 @@ void intel_ds_init(void) + case 0: + printk(KERN_CONT "PEBS fmt0%c, ", pebs_type); + x86_pmu.pebs_record_size = sizeof(struct pebs_record_core); ++ /* ++ * Using >PAGE_SIZE buffers makes the WRMSR to ++ * PERF_GLOBAL_CTRL in intel_pmu_enable_all() ++ * mysteriously hang on Core2. ++ * ++ * As a workaround, we don't do this. ++ */ ++ x86_pmu.pebs_buffer_size = PAGE_SIZE; + x86_pmu.drain_pebs = intel_pmu_drain_pebs_core; + break; + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 4ddaf66ea35f..792621a32457 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -96,9 +96,14 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + SYSCALL_DEFINE1(iopl, unsigned int, level) + { + struct pt_regs *regs = current_pt_regs(); +- unsigned int old = (regs->flags >> 12) & 3; + struct thread_struct *t = ¤t->thread; + ++ /* ++ * Careful: the IOPL bits in regs->flags are undefined under Xen PV ++ * and changing them has no effect. ++ */ ++ unsigned int old = t->iopl >> X86_EFLAGS_IOPL_BIT; ++ + if (level > 3) + return -EINVAL; + /* Trying to gain more privileges? */ +@@ -106,8 +111,9 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + } +- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); +- t->iopl = level << 12; ++ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | ++ (level << X86_EFLAGS_IOPL_BIT); ++ t->iopl = level << X86_EFLAGS_IOPL_BIT; + set_iopl_mask(t->iopl); + + return 0; +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 1406ffde3e35..b0a706d063cb 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -244,7 +244,7 @@ static void kvm_pit_ack_irq(struct kvm_irq_ack_notifier *kian) + * PIC is being reset. Handle it gracefully here + */ + atomic_inc(&ps->pending); +- else if (value > 0) ++ else if (value > 0 && ps->reinject) + /* in this case, we had multiple outstanding pit interrupts + * that we needed to inject. Reinject + */ +@@ -287,7 +287,9 @@ static void pit_do_work(struct kthread_work *work) + * last one has been acked. + */ + spin_lock(&ps->inject_lock); +- if (ps->irq_ack) { ++ if (!ps->reinject) ++ inject = 1; ++ else if (ps->irq_ack) { + ps->irq_ack = 0; + inject = 1; + } +@@ -316,10 +318,10 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer *data) + struct kvm_kpit_state *ps = container_of(data, struct kvm_kpit_state, timer); + struct kvm_pit *pt = ps->kvm->arch.vpit; + +- if (ps->reinject || !atomic_read(&ps->pending)) { ++ if (ps->reinject) + atomic_inc(&ps->pending); +- queue_kthread_work(&pt->worker, &pt->expired); +- } ++ ++ queue_kthread_work(&pt->worker, &pt->expired); + + if (ps->is_periodic) { + hrtimer_add_expires_ns(&ps->timer, ps->period); +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index b6fc5fc64cef..397a3ec62f78 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6423,6 +6423,7 @@ static int handle_invept(struct kvm_vcpu *vcpu) + if (!(types & (1UL << type))) { + nested_vmx_failValid(vcpu, + VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID); ++ skip_emulated_instruction(vcpu); + return 1; + } + +diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S +index aeeb3cc8a410..288b61f080fe 100644 +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -123,7 +123,7 @@ ENTRY(_startup) + wsr a0, icountlevel + + .set _index, 0 +- .rept XCHAL_NUM_DBREAK - 1 ++ .rept XCHAL_NUM_DBREAK + wsr a0, SREG_DBREAKC + _index + .set _index, _index + 1 + .endr +diff --git a/arch/xtensa/platforms/iss/console.c b/arch/xtensa/platforms/iss/console.c +index 70cb408bc20d..92d785fefb6d 100644 +--- a/arch/xtensa/platforms/iss/console.c ++++ b/arch/xtensa/platforms/iss/console.c +@@ -100,21 +100,23 @@ static void rs_poll(unsigned long priv) + { + struct tty_port *port = (struct tty_port *)priv; + int i = 0; ++ int rd = 1; + unsigned char c; + + spin_lock(&timer_lock); + + while (simc_poll(0)) { +- simc_read(0, &c, 1); ++ rd = simc_read(0, &c, 1); ++ if (rd <= 0) ++ break; + tty_insert_flip_char(port, c, TTY_NORMAL); + i++; + } + + if (i) + tty_flip_buffer_push(port); +- +- +- mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); ++ if (rd) ++ mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); + spin_unlock(&timer_lock); + } + +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index 2a09de8d6d71..6be90f0b3730 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -81,6 +81,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x0489, 0xe05f) }, + { USB_DEVICE(0x0489, 0xe076) }, + { USB_DEVICE(0x0489, 0xe078) }, ++ { USB_DEVICE(0x0489, 0xe095) }, + { USB_DEVICE(0x04c5, 0x1330) }, + { USB_DEVICE(0x04CA, 0x3004) }, + { USB_DEVICE(0x04CA, 0x3005) }, +@@ -89,6 +90,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x04CA, 0x3008) }, + { USB_DEVICE(0x04CA, 0x300b) }, + { USB_DEVICE(0x04CA, 0x3010) }, ++ { USB_DEVICE(0x04CA, 0x3014) }, + { USB_DEVICE(0x0930, 0x0219) }, + { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, +@@ -109,9 +111,11 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x13d3, 0x3362) }, + { USB_DEVICE(0x13d3, 0x3375) }, + { USB_DEVICE(0x13d3, 0x3393) }, ++ { USB_DEVICE(0x13d3, 0x3395) }, + { USB_DEVICE(0x13d3, 0x3402) }, + { USB_DEVICE(0x13d3, 0x3408) }, + { USB_DEVICE(0x13d3, 0x3432) }, ++ { USB_DEVICE(0x13d3, 0x3472) }, + { USB_DEVICE(0x13d3, 0x3474) }, + + /* Atheros AR5BBU12 with sflash firmware */ +@@ -139,6 +143,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, +@@ -147,6 +152,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, +@@ -167,9 +173,11 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU22 with sflash firmware */ +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 5d5e99902475..8b82282bab8a 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -159,6 +159,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, +@@ -167,6 +168,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, +@@ -187,9 +189,11 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU12 with sflash firmware */ +diff --git a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +index 8e162ad82085..5c93afb1841a 100644 +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -201,6 +201,39 @@ static int ccp_aes_cmac_digest(struct ahash_request *req) + return ccp_aes_cmac_finup(req); + } + ++static int ccp_aes_cmac_export(struct ahash_request *req, void *out) ++{ ++ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_aes_cmac_exp_ctx state; ++ ++ state.null_msg = rctx->null_msg; ++ memcpy(state.iv, rctx->iv, sizeof(state.iv)); ++ state.buf_count = rctx->buf_count; ++ memcpy(state.buf, rctx->buf, sizeof(state.buf)); ++ ++ /* 'out' may not be aligned so memcpy from local variable */ ++ memcpy(out, &state, sizeof(state)); ++ ++ return 0; ++} ++ ++static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) ++{ ++ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_aes_cmac_exp_ctx state; ++ ++ /* 'in' may not be aligned so memcpy to local variable */ ++ memcpy(&state, in, sizeof(state)); ++ ++ memset(rctx, 0, sizeof(*rctx)); ++ rctx->null_msg = state.null_msg; ++ memcpy(rctx->iv, state.iv, sizeof(rctx->iv)); ++ rctx->buf_count = state.buf_count; ++ memcpy(rctx->buf, state.buf, sizeof(rctx->buf)); ++ ++ return 0; ++} ++ + static int ccp_aes_cmac_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int key_len) + { +@@ -332,10 +365,13 @@ int ccp_register_aes_cmac_algs(struct list_head *head) + alg->final = ccp_aes_cmac_final; + alg->finup = ccp_aes_cmac_finup; + alg->digest = ccp_aes_cmac_digest; ++ alg->export = ccp_aes_cmac_export; ++ alg->import = ccp_aes_cmac_import; + alg->setkey = ccp_aes_cmac_setkey; + + halg = &alg->halg; + halg->digestsize = AES_BLOCK_SIZE; ++ halg->statesize = sizeof(struct ccp_aes_cmac_exp_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)"); +diff --git a/drivers/crypto/ccp/ccp-crypto-sha.c b/drivers/crypto/ccp/ccp-crypto-sha.c +index 3867290b3531..bdbb5865a50f 100644 +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -257,6 +257,43 @@ static int ccp_sha_digest(struct ahash_request *req) + return ccp_sha_finup(req); + } + ++static int ccp_sha_export(struct ahash_request *req, void *out) ++{ ++ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_sha_exp_ctx state; ++ ++ state.type = rctx->type; ++ state.msg_bits = rctx->msg_bits; ++ state.first = rctx->first; ++ memcpy(state.ctx, rctx->ctx, sizeof(state.ctx)); ++ state.buf_count = rctx->buf_count; ++ memcpy(state.buf, rctx->buf, sizeof(state.buf)); ++ ++ /* 'out' may not be aligned so memcpy from local variable */ ++ memcpy(out, &state, sizeof(state)); ++ ++ return 0; ++} ++ ++static int ccp_sha_import(struct ahash_request *req, const void *in) ++{ ++ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_sha_exp_ctx state; ++ ++ /* 'in' may not be aligned so memcpy to local variable */ ++ memcpy(&state, in, sizeof(state)); ++ ++ memset(rctx, 0, sizeof(*rctx)); ++ rctx->type = state.type; ++ rctx->msg_bits = state.msg_bits; ++ rctx->first = state.first; ++ memcpy(rctx->ctx, state.ctx, sizeof(rctx->ctx)); ++ rctx->buf_count = state.buf_count; ++ memcpy(rctx->buf, state.buf, sizeof(rctx->buf)); ++ ++ return 0; ++} ++ + static int ccp_sha_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int key_len) + { +@@ -469,9 +506,12 @@ static int ccp_register_sha_alg(struct list_head *head, + alg->final = ccp_sha_final; + alg->finup = ccp_sha_finup; + alg->digest = ccp_sha_digest; ++ alg->export = ccp_sha_export; ++ alg->import = ccp_sha_import; + + halg = &alg->halg; + halg->digestsize = def->digest_size; ++ halg->statesize = sizeof(struct ccp_sha_exp_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); +diff --git a/drivers/crypto/ccp/ccp-crypto.h b/drivers/crypto/ccp/ccp-crypto.h +index b222231b6169..79bcc3581092 100644 +--- a/drivers/crypto/ccp/ccp-crypto.h ++++ b/drivers/crypto/ccp/ccp-crypto.h +@@ -132,6 +132,15 @@ struct ccp_aes_cmac_req_ctx { + struct ccp_cmd cmd; + }; + ++struct ccp_aes_cmac_exp_ctx { ++ unsigned int null_msg; ++ ++ u8 iv[AES_BLOCK_SIZE]; ++ ++ unsigned int buf_count; ++ u8 buf[AES_BLOCK_SIZE]; ++}; ++ + /***** SHA related defines *****/ + #define MAX_SHA_CONTEXT_SIZE SHA256_DIGEST_SIZE + #define MAX_SHA_BLOCK_SIZE SHA256_BLOCK_SIZE +@@ -174,6 +183,19 @@ struct ccp_sha_req_ctx { + struct ccp_cmd cmd; + }; + ++struct ccp_sha_exp_ctx { ++ enum ccp_sha_type type; ++ ++ u64 msg_bits; ++ ++ unsigned int first; ++ ++ u8 ctx[MAX_SHA_CONTEXT_SIZE]; ++ ++ unsigned int buf_count; ++ u8 buf[MAX_SHA_BLOCK_SIZE]; ++}; ++ + /***** Common Context Structure *****/ + struct ccp_ctx { + int (*complete)(struct crypto_async_request *req, int ret); +diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c +index 278603c373ca..d39e7482586c 100644 +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -1294,7 +1294,7 @@ static u64 f1x_get_norm_dct_addr(struct amd64_pvt *pvt, u8 range, + u64 chan_off; + u64 dram_base = get_dram_base(pvt, range); + u64 hole_off = f10_dhar_offset(pvt); +- u64 dct_sel_base_off = (pvt->dct_sel_hi & 0xFFFFFC00) << 16; ++ u64 dct_sel_base_off = (u64)(pvt->dct_sel_hi & 0xFFFFFC00) << 16; + + if (hi_rng) { + /* +diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c +index e7bfd5502410..eeb1369110ac 100644 +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -895,8 +895,6 @@ atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mo + else + args.v1.ucLaneNum = 4; + +- if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) +- args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; + switch (radeon_encoder->encoder_id) { + case ENCODER_OBJECT_ID_INTERNAL_UNIPHY: + args.v1.ucConfig = ATOM_ENCODER_CONFIG_V2_TRANSMITTER1; +@@ -913,6 +911,10 @@ atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mo + args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKB; + else + args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKA; ++ ++ if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) ++ args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; ++ + break; + case 2: + case 3: +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 51f18bf75fa6..66346c4e4104 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1761,6 +1761,7 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_ELITE_KBD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_CORDLESS_DESKTOP_LX500) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_EXTREME_3D) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_DUAL_ACTION) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_WHEEL) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD_CORD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD) }, +diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c +index f63341f20b91..e8c6a4842e91 100644 +--- a/drivers/input/misc/ati_remote2.c ++++ b/drivers/input/misc/ati_remote2.c +@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + ar2->udev = udev; + ++ /* Sanity check, first interface must have an endpoint */ ++ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { ++ dev_err(&interface->dev, ++ "%s(): interface 0 must have an endpoint\n", __func__); ++ r = -ENODEV; ++ goto fail1; ++ } + ar2->intf[0] = interface; + ar2->ep[0] = &alt->endpoint[0].desc; + ++ /* Sanity check, the device must have two interfaces */ + ar2->intf[1] = usb_ifnum_to_if(udev, 1); ++ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { ++ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", ++ __func__, udev->actconfig->desc.bNumInterfaces); ++ r = -ENODEV; ++ goto fail1; ++ } ++ + r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); + if (r) + goto fail1; ++ ++ /* Sanity check, second interface must have an endpoint */ + alt = ar2->intf[1]->cur_altsetting; ++ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { ++ dev_err(&interface->dev, ++ "%s(): interface 1 must have an endpoint\n", __func__); ++ r = -ENODEV; ++ goto fail2; ++ } + ar2->ep[1] = &alt->endpoint[0].desc; + + r = ati_remote2_urb_init(ar2); + if (r) +- goto fail2; ++ goto fail3; + + ar2->channel_mask = channel_mask; + ar2->mode_mask = mode_mask; + + r = ati_remote2_setup(ar2, ar2->channel_mask); + if (r) +- goto fail2; ++ goto fail3; + + usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); + strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); +@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); + if (r) +- goto fail2; ++ goto fail3; + + r = ati_remote2_input_init(ar2); + if (r) +- goto fail3; ++ goto fail4; + + usb_set_intfdata(interface, ar2); + +@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + return 0; + +- fail3: ++ fail4: + sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); +- fail2: ++ fail3: + ati_remote2_urb_cleanup(ar2); ++ fail2: + usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); + fail1: + kfree(ar2); +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index e204f26b0011..77164dc1bedd 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1433,6 +1433,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bMasterInterface0); ++ if (!pcu->ctrl_intf) ++ return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; + pcu->ep_ctrl = &alt->endpoint[0].desc; +@@ -1440,6 +1442,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->data_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bSlaveInterface0); ++ if (!pcu->data_intf) ++ return -EINVAL; + + alt = pcu->data_intf->cur_altsetting; + if (alt->desc.bNumEndpoints != 2) { +diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c +index 63b539d3daba..84909a12ff36 100644 +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ if (interface->desc.bNumEndpoints < 1) ++ return -EINVAL; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -EIO; +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 1b6beb1e3142..51ec648738f4 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1388,6 +1388,9 @@ static void cache_set_flush(struct closure *cl) + struct btree *b; + unsigned i; + ++ if (!c) ++ closure_return(cl); ++ + bch_cache_accounting_destroy(&c->accounting); + + kobject_put(&c->internal); +diff --git a/drivers/md/multipath.c b/drivers/md/multipath.c +index 849ad39f547b..79870f4b318d 100644 +--- a/drivers/md/multipath.c ++++ b/drivers/md/multipath.c +@@ -131,7 +131,9 @@ static void multipath_make_request(struct mddev *mddev, struct bio * bio) + } + multipath = conf->multipaths + mp_bh->path; + +- mp_bh->bio = *bio; ++ bio_init(&mp_bh->bio); ++ __bio_clone_fast(&mp_bh->bio, bio); ++ + mp_bh->bio.bi_iter.bi_sector += multipath->rdev->data_offset; + mp_bh->bio.bi_bdev = multipath->rdev->bdev; + mp_bh->bio.bi_rw |= REQ_FAILFAST_TRANSPORT; +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 1c829a0b234b..49386766c4e0 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -6166,8 +6166,8 @@ static int run(struct mddev *mddev) + } + + if (discard_supported && +- mddev->queue->limits.max_discard_sectors >= stripe && +- mddev->queue->limits.discard_granularity >= stripe) ++ mddev->queue->limits.max_discard_sectors >= (stripe >> 9) && ++ mddev->queue->limits.discard_granularity >= stripe) + queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, + mddev->queue); + else +diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511.c +index ee618942cb8e..d68f742ab885 100644 +--- a/drivers/media/i2c/adv7511.c ++++ b/drivers/media/i2c/adv7511.c +@@ -827,12 +827,23 @@ static void adv7511_dbg_dump_edid(int lvl, int debug, struct v4l2_subdev *sd, in + } + } + ++static void adv7511_notify_no_edid(struct v4l2_subdev *sd) ++{ ++ struct adv7511_state *state = get_adv7511_state(sd); ++ struct adv7511_edid_detect ed; ++ ++ /* We failed to read the EDID, so send an event for this. */ ++ ed.present = false; ++ ed.segment = adv7511_rd(sd, 0xc4); ++ v4l2_subdev_notify(sd, ADV7511_EDID_DETECT, (void *)&ed); ++ v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, 0x0); ++} ++ + static void adv7511_edid_handler(struct work_struct *work) + { + struct delayed_work *dwork = to_delayed_work(work); + struct adv7511_state *state = container_of(dwork, struct adv7511_state, edid_handler); + struct v4l2_subdev *sd = &state->sd; +- struct adv7511_edid_detect ed; + + v4l2_dbg(1, debug, sd, "%s:\n", __func__); + +@@ -857,9 +868,7 @@ static void adv7511_edid_handler(struct work_struct *work) + } + + /* We failed to read the EDID, so send an event for this. */ +- ed.present = false; +- ed.segment = adv7511_rd(sd, 0xc4); +- v4l2_subdev_notify(sd, ADV7511_EDID_DETECT, (void *)&ed); ++ adv7511_notify_no_edid(sd); + v4l2_dbg(1, debug, sd, "%s: no edid found\n", __func__); + } + +@@ -930,7 +939,6 @@ static void adv7511_check_monitor_present_status(struct v4l2_subdev *sd) + /* update read only ctrls */ + v4l2_ctrl_s_ctrl(state->hotplug_ctrl, adv7511_have_hotplug(sd) ? 0x1 : 0x0); + v4l2_ctrl_s_ctrl(state->rx_sense_ctrl, adv7511_have_rx_sense(sd) ? 0x1 : 0x0); +- v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, state->edid.segments ? 0x1 : 0x0); + + if ((status & MASK_ADV7511_HPD_DETECT) && ((status & MASK_ADV7511_MSEN_DETECT) || state->edid.segments)) { + v4l2_dbg(1, debug, sd, "%s: hotplug and (rx-sense or edid)\n", __func__); +@@ -960,6 +968,7 @@ static void adv7511_check_monitor_present_status(struct v4l2_subdev *sd) + } + adv7511_s_power(sd, false); + memset(&state->edid, 0, sizeof(struct adv7511_state_edid)); ++ adv7511_notify_no_edid(sd); + } + } + +@@ -1036,6 +1045,7 @@ static bool adv7511_check_edid_status(struct v4l2_subdev *sd) + } + /* one more segment read ok */ + state->edid.segments = segment + 1; ++ v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, 0x1); + if (((state->edid.data[0x7e] >> 1) + 1) > state->edid.segments) { + /* Request next EDID segment */ + v4l2_dbg(1, debug, sd, "%s: request segment %d\n", __func__, state->edid.segments); +@@ -1055,7 +1065,6 @@ static bool adv7511_check_edid_status(struct v4l2_subdev *sd) + ed.present = true; + ed.segment = 0; + state->edid_detect_counter++; +- v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, state->edid.segments ? 0x1 : 0x0); + v4l2_subdev_notify(sd, ADV7511_EDID_DETECT, (void *)&ed); + return ed.present; + } +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c +index afcd53bfcf8e..fa65262e7fe1 100644 +--- a/drivers/media/pci/bt8xx/bttv-driver.c ++++ b/drivers/media/pci/bt8xx/bttv-driver.c +@@ -2333,6 +2333,19 @@ static int bttv_g_fmt_vid_overlay(struct file *file, void *priv, + return 0; + } + ++static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt, ++ unsigned int *width_mask, ++ unsigned int *width_bias) ++{ ++ if (fmt->flags & FORMAT_FLAGS_PLANAR) { ++ *width_mask = ~15; /* width must be a multiple of 16 pixels */ ++ *width_bias = 8; /* nearest */ ++ } else { ++ *width_mask = ~3; /* width must be a multiple of 4 pixels */ ++ *width_bias = 2; /* nearest */ ++ } ++} ++ + static int bttv_try_fmt_vid_cap(struct file *file, void *priv, + struct v4l2_format *f) + { +@@ -2342,6 +2355,7 @@ static int bttv_try_fmt_vid_cap(struct file *file, void *priv, + enum v4l2_field field; + __s32 width, height; + __s32 height2; ++ unsigned int width_mask, width_bias; + int rc; + + fmt = format_by_fourcc(f->fmt.pix.pixelformat); +@@ -2374,9 +2388,9 @@ static int bttv_try_fmt_vid_cap(struct file *file, void *priv, + width = f->fmt.pix.width; + height = f->fmt.pix.height; + ++ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias); + rc = limit_scaled_size_lock(fh, &width, &height, field, +- /* width_mask: 4 pixels */ ~3, +- /* width_bias: nearest */ 2, ++ width_mask, width_bias, + /* adjust_size */ 1, + /* adjust_crop */ 0); + if (0 != rc) +@@ -2409,6 +2423,7 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, + struct bttv_fh *fh = priv; + struct bttv *btv = fh->btv; + __s32 width, height; ++ unsigned int width_mask, width_bias; + enum v4l2_field field; + + retval = bttv_switch_type(fh, f->type); +@@ -2423,9 +2438,10 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, + height = f->fmt.pix.height; + field = f->fmt.pix.field; + ++ fmt = format_by_fourcc(f->fmt.pix.pixelformat); ++ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias); + retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field, +- /* width_mask: 4 pixels */ ~3, +- /* width_bias: nearest */ 2, ++ width_mask, width_bias, + /* adjust_size */ 1, + /* adjust_crop */ 1); + if (0 != retval) +@@ -2433,8 +2449,6 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, + + f->fmt.pix.field = field; + +- fmt = format_by_fourcc(f->fmt.pix.pixelformat); +- + /* update our state informations */ + fh->fmt = fmt; + fh->cap.field = f->fmt.pix.field; +diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c +index 40396e8b16a8..b338db3c7185 100644 +--- a/drivers/media/pci/saa7134/saa7134-video.c ++++ b/drivers/media/pci/saa7134/saa7134-video.c +@@ -1342,10 +1342,13 @@ static int saa7134_g_fmt_vid_cap(struct file *file, void *priv, + f->fmt.pix.height = dev->height; + f->fmt.pix.field = dev->cap.field; + f->fmt.pix.pixelformat = dev->fmt->fourcc; +- f->fmt.pix.bytesperline = +- (f->fmt.pix.width * dev->fmt->depth) >> 3; ++ if (dev->fmt->planar) ++ f->fmt.pix.bytesperline = f->fmt.pix.width; ++ else ++ f->fmt.pix.bytesperline = ++ (f->fmt.pix.width * dev->fmt->depth) / 8; + f->fmt.pix.sizeimage = +- f->fmt.pix.height * f->fmt.pix.bytesperline; ++ (f->fmt.pix.height * f->fmt.pix.width * dev->fmt->depth) / 8; + f->fmt.pix.colorspace = V4L2_COLORSPACE_SMPTE170M; + f->fmt.pix.priv = 0; + return 0; +@@ -1424,10 +1427,13 @@ static int saa7134_try_fmt_vid_cap(struct file *file, void *priv, + if (f->fmt.pix.height > maxh) + f->fmt.pix.height = maxh; + f->fmt.pix.width &= ~0x03; +- f->fmt.pix.bytesperline = +- (f->fmt.pix.width * fmt->depth) >> 3; ++ if (fmt->planar) ++ f->fmt.pix.bytesperline = f->fmt.pix.width; ++ else ++ f->fmt.pix.bytesperline = ++ (f->fmt.pix.width * fmt->depth) / 8; + f->fmt.pix.sizeimage = +- f->fmt.pix.height * f->fmt.pix.bytesperline; ++ (f->fmt.pix.height * f->fmt.pix.width * fmt->depth) / 8; + f->fmt.pix.colorspace = V4L2_COLORSPACE_SMPTE170M; + f->fmt.pix.priv = 0; + +diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c +index abf365ab025d..73c12c8d125d 100644 +--- a/drivers/media/usb/pwc/pwc-if.c ++++ b/drivers/media/usb/pwc/pwc-if.c +@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_device_table [] = { + { USB_DEVICE(0x0471, 0x0312) }, + { USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */ + { USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */ ++ { USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */ + { USB_DEVICE(0x069A, 0x0001) }, /* Askey */ + { USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */ + { USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */ +@@ -799,6 +800,11 @@ static int usb_pwc_probe(struct usb_interface *intf, const struct usb_device_id + name = "Philips SPC 900NC webcam"; + type_id = 740; + break; ++ case 0x032C: ++ PWC_INFO("Philips SPC 880NC USB webcam detected.\n"); ++ name = "Philips SPC 880NC webcam"; ++ type_id = 740; ++ break; + default: + return -ENODEV; + break; +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index 2bece37d0228..61c2cd3be109 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -392,7 +392,8 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + get_user(kp->index, &up->index) || + get_user(kp->type, &up->type) || + get_user(kp->flags, &up->flags) || +- get_user(kp->memory, &up->memory)) ++ get_user(kp->memory, &up->memory) || ++ get_user(kp->length, &up->length)) + return -EFAULT; + + if (V4L2_TYPE_IS_OUTPUT(kp->type)) +@@ -404,9 +405,6 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + return -EFAULT; + + if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { +- if (get_user(kp->length, &up->length)) +- return -EFAULT; +- + num_planes = kp->length; + if (num_planes == 0) { + kp->m.planes = NULL; +@@ -439,16 +437,14 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + } else { + switch (kp->memory) { + case V4L2_MEMORY_MMAP: +- if (get_user(kp->length, &up->length) || +- get_user(kp->m.offset, &up->m.offset)) ++ if (get_user(kp->m.offset, &up->m.offset)) + return -EFAULT; + break; + case V4L2_MEMORY_USERPTR: + { + compat_long_t tmp; + +- if (get_user(kp->length, &up->length) || +- get_user(tmp, &up->m.userptr)) ++ if (get_user(tmp, &up->m.userptr)) + return -EFAULT; + + kp->m.userptr = (unsigned long)compat_ptr(tmp); +@@ -490,7 +486,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || + put_user(kp->sequence, &up->sequence) || + put_user(kp->reserved2, &up->reserved2) || +- put_user(kp->reserved, &up->reserved)) ++ put_user(kp->reserved, &up->reserved) || ++ put_user(kp->length, &up->length)) + return -EFAULT; + + if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { +@@ -513,13 +510,11 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + } else { + switch (kp->memory) { + case V4L2_MEMORY_MMAP: +- if (put_user(kp->length, &up->length) || +- put_user(kp->m.offset, &up->m.offset)) ++ if (put_user(kp->m.offset, &up->m.offset)) + return -EFAULT; + break; + case V4L2_MEMORY_USERPTR: +- if (put_user(kp->length, &up->length) || +- put_user(kp->m.userptr, &up->m.userptr)) ++ if (put_user(kp->m.userptr, &up->m.userptr)) + return -EFAULT; + break; + case V4L2_MEMORY_OVERLAY: +diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c +index 1de33b5d3903..fdfde0271d23 100644 +--- a/drivers/mtd/onenand/onenand_base.c ++++ b/drivers/mtd/onenand/onenand_base.c +@@ -2606,6 +2606,7 @@ static int onenand_default_block_markbad(struct mtd_info *mtd, loff_t ofs) + */ + static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs) + { ++ struct onenand_chip *this = mtd->priv; + int ret; + + ret = onenand_block_isbad(mtd, ofs); +@@ -2617,7 +2618,7 @@ static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs) + } + + onenand_get_device(mtd, FL_WRITING); +- ret = mtd_block_markbad(mtd, ofs); ++ ret = this->block_markbad(mtd, ofs); + onenand_release_device(mtd); + return ret; + } +diff --git a/drivers/net/irda/irtty-sir.c b/drivers/net/irda/irtty-sir.c +index 24b6dddd7f2f..16219162566b 100644 +--- a/drivers/net/irda/irtty-sir.c ++++ b/drivers/net/irda/irtty-sir.c +@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct *tty) + + /* Module stuff handled via irda_ldisc.owner - Jean II */ + +- /* First make sure we're not already connected. */ +- if (tty->disc_data != NULL) { +- priv = tty->disc_data; +- if (priv && priv->magic == IRTTY_MAGIC) { +- ret = -EEXIST; +- goto out; +- } +- tty->disc_data = NULL; /* ### */ +- } +- + /* stop the underlying driver */ + irtty_stop_receiver(tty, TRUE); + if (tty->ops->stop) +diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c +index 6d1f6ed3113f..d93bac129efc 100644 +--- a/drivers/net/rionet.c ++++ b/drivers/net/rionet.c +@@ -280,7 +280,7 @@ static void rionet_outb_msg_event(struct rio_mport *mport, void *dev_id, int mbo + struct net_device *ndev = dev_id; + struct rionet_private *rnet = netdev_priv(ndev); + +- spin_lock(&rnet->lock); ++ spin_lock(&rnet->tx_lock); + + if (netif_msg_intr(rnet)) + printk(KERN_INFO +@@ -299,7 +299,7 @@ static void rionet_outb_msg_event(struct rio_mport *mport, void *dev_id, int mbo + if (rnet->tx_cnt < RIONET_TX_RING_SIZE) + netif_wake_queue(ndev); + +- spin_unlock(&rnet->lock); ++ spin_unlock(&rnet->tx_lock); + } + + static int rionet_open(struct net_device *ndev) +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 5b428db6a150..146b13752572 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -175,6 +175,9 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, + struct pci_bus_region region, inverted_region; + bool bar_too_big = false, bar_disabled = false; + ++ if (dev->non_compliant_bars) ++ return 0; ++ + mask = type ? PCI_ROM_ADDRESS_MASK : ~0; + + /* No printks while decoding is disabled! */ +@@ -1074,6 +1077,7 @@ int pci_cfg_space_size(struct pci_dev *dev) + int pci_setup_device(struct pci_dev *dev) + { + u32 class; ++ u16 cmd; + u8 hdr_type; + struct pci_slot *slot; + int pos = 0; +@@ -1121,6 +1125,16 @@ int pci_setup_device(struct pci_dev *dev) + /* device class may be changed after fixup */ + class = dev->class >> 8; + ++ if (dev->non_compliant_bars) { ++ pci_read_config_word(dev, PCI_COMMAND, &cmd); ++ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) { ++ dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n"); ++ cmd &= ~PCI_COMMAND_IO; ++ cmd &= ~PCI_COMMAND_MEMORY; ++ pci_write_config_word(dev, PCI_COMMAND, cmd); ++ } ++ } ++ + switch (dev->hdr_type) { /* header type */ + case PCI_HEADER_TYPE_NORMAL: /* standard header */ + if (class == PCI_CLASS_BRIDGE_PCI) +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index cab190af6345..6b32ddcefc11 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev *dev) + + void aac_fib_map_free(struct aac_dev *dev) + { +- pci_free_consistent(dev->pdev, +- dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB), +- dev->hw_fib_va, dev->hw_fib_pa); ++ if (dev->hw_fib_va && dev->max_fib_size) { ++ pci_free_consistent(dev->pdev, ++ (dev->max_fib_size * ++ (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)), ++ dev->hw_fib_va, dev->hw_fib_pa); ++ } + dev->hw_fib_va = NULL; + dev->hw_fib_pa = 0; + } +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c +index 19ddd43a00cf..f4b9ac4ef16e 100644 +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -4432,6 +4432,7 @@ put_shost: + scsi_host_put(phba->shost); + free_kset: + iscsi_boot_destroy_kset(phba->boot_kset); ++ phba->boot_kset = NULL; + return -ENOMEM; + } + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 128dc2f75186..2b7bc7df1edf 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -3946,13 +3946,17 @@ static ssize_t ipr_store_update_fw(struct device *dev, + struct ipr_sglist *sglist; + char fname[100]; + char *src; +- int len, result, dnld_size; ++ char *endline; ++ int result, dnld_size; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + +- len = snprintf(fname, 99, "%s", buf); +- fname[len-1] = '\0'; ++ snprintf(fname, sizeof(fname), "%s", buf); ++ ++ endline = strchr(fname, '\n'); ++ if (endline) ++ *endline = '\0'; + + if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) { + dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname); +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 0be16bf5f0cd..1f65e32db285 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -633,7 +633,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) + else + hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE; + hp->dxfer_len = mxsize; +- if (hp->dxfer_direction == SG_DXFER_TO_DEV) ++ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) || ++ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV)) + hp->dxferp = (char __user *)buf + cmd_size; + else + hp->dxferp = NULL; +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index 47a90d631a90..77c143854118 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -181,7 +181,6 @@ void core_tmr_abort_task( + + if (!__target_check_io_state(se_cmd, se_sess, 0)) { + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); +- target_put_sess_cmd(se_sess, se_cmd); + goto out; + } + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index cbf927a67160..9ad3d263d5e1 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2484,8 +2484,6 @@ void target_wait_for_sess_cmds(struct se_session *se_sess) + + list_for_each_entry_safe(se_cmd, tmp_cmd, + &se_sess->sess_wait_list, se_cmd_list) { +- list_del_init(&se_cmd->se_cmd_list); +- + pr_debug("Waiting for se_cmd: %p t_state: %d, fabric state:" + " %d\n", se_cmd, se_cmd->t_state, + se_cmd->se_tfo->get_cmd_state(se_cmd)); +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index 612dfc720738..9fffc7295af1 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -686,22 +686,16 @@ static int size_fifo(struct uart_8250_port *up) + */ + static unsigned int autoconfig_read_divisor_id(struct uart_8250_port *p) + { +- unsigned char old_dll, old_dlm, old_lcr; +- unsigned int id; ++ unsigned char old_lcr; ++ unsigned int id, old_dl; + + old_lcr = serial_in(p, UART_LCR); + serial_out(p, UART_LCR, UART_LCR_CONF_MODE_A); ++ old_dl = serial_dl_read(p); ++ serial_dl_write(p, 0); ++ id = serial_dl_read(p); ++ serial_dl_write(p, old_dl); + +- old_dll = serial_in(p, UART_DLL); +- old_dlm = serial_in(p, UART_DLM); +- +- serial_out(p, UART_DLL, 0); +- serial_out(p, UART_DLM, 0); +- +- id = serial_in(p, UART_DLL) | serial_in(p, UART_DLM) << 8; +- +- serial_out(p, UART_DLL, old_dll); +- serial_out(p, UART_DLM, old_dlm); + serial_out(p, UART_LCR, old_lcr); + + return id; +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 584514c7ed1f..b6f5c7d3737b 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1079,6 +1079,9 @@ static int acm_probe(struct usb_interface *intf, + if (quirks == NO_UNION_NORMAL) { + data_interface = usb_ifnum_to_if(usb_dev, 1); + control_interface = usb_ifnum_to_if(usb_dev, 0); ++ /* we would crash */ ++ if (!data_interface || !control_interface) ++ return -ENODEV; + goto skip_normal_probe; + } + +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index 39c7cd6ffa4b..5c65f37536b0 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -494,11 +494,15 @@ static int usb_unbind_interface(struct device *dev) + int usb_driver_claim_interface(struct usb_driver *driver, + struct usb_interface *iface, void *priv) + { +- struct device *dev = &iface->dev; ++ struct device *dev; + struct usb_device *udev; + int retval = 0; + int lpm_disable_error; + ++ if (!iface) ++ return -ENODEV; ++ ++ dev = &iface->dev; + if (dev->driver) + return -EBUSY; + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 648e7eccdde9..f7fdc2c4f8b7 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4079,7 +4079,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + + struct usb_device *hdev = hub->hdev; + struct usb_hcd *hcd = bus_to_hcd(hdev->bus); +- int i, j, retval; ++ int retries, operations, retval, i; + unsigned delay = HUB_SHORT_RESET_TIME; + enum usb_device_speed oldspeed = udev->speed; + const char *speed; +@@ -4181,7 +4181,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + * first 8 bytes of the device descriptor to get the ep0 maxpacket + * value. + */ +- for (i = 0; i < GET_DESCRIPTOR_TRIES; (++i, msleep(100))) { ++ for (retries = 0; retries < GET_DESCRIPTOR_TRIES; (++retries, msleep(100))) { + bool did_new_scheme = false; + + if (use_new_scheme(udev, retry_counter)) { +@@ -4204,7 +4204,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + * 255 is for WUSB devices, we actually need to use + * 512 (WUSB1.0[4.8.1]). + */ +- for (j = 0; j < 3; ++j) { ++ for (operations = 0; operations < 3; ++operations) { + buf->bMaxPacketSize0 = 0; + r = usb_control_msg(udev, usb_rcvaddr0pipe(), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN, +@@ -4224,7 +4224,13 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + r = -EPROTO; + break; + } +- if (r == 0) ++ /* ++ * Some devices time out if they are powered on ++ * when already connected. They need a second ++ * reset. But only on the first attempt, ++ * lest we get into a time out/reset loop ++ */ ++ if (r == 0 || (r == -ETIMEDOUT && retries == 0)) + break; + } + udev->descriptor.bMaxPacketSize0 = +@@ -4256,7 +4262,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + * authorization will assign the final address. + */ + if (udev->wusb == 0) { +- for (j = 0; j < SET_ADDRESS_TRIES; ++j) { ++ for (operations = 0; operations < SET_ADDRESS_TRIES; ++operations) { + retval = hub_set_address(udev, devnum); + if (retval >= 0) + break; +diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c +index 20bcfdd7eace..35d1457d84b1 100644 +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -791,6 +791,12 @@ static int iowarrior_probe(struct usb_interface *interface, + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + ++ if (iface_desc->desc.bNumEndpoints < 1) { ++ dev_err(&interface->dev, "Invalid number of endpoints\n"); ++ retval = -EINVAL; ++ goto error; ++ } ++ + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index 3ce5c74b29e4..6f483b8a4f56 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -59,6 +59,7 @@ config USB_SERIAL_SIMPLE + driver. Specifically, it supports: + - Suunto ANT+ USB device. + - Fundamental Software dongle. ++ - Google USB serial devices + - HP4x calculators + - a number of Motorola phones + - Siemens USB/MPI adapter. +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 922723edd6b0..b689a2fd960c 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -164,6 +164,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ ++ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ + { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ +diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c +index bccb1223143a..81001d13774e 100644 +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) + struct usb_serial *serial = port->serial; + struct cypress_private *priv; + ++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { ++ dev_err(&port->dev, "required endpoint is missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) + cypress_set_termios(tty, port, &priv->tmp_termios); + + /* setup the port and start reading from the device */ +- if (!port->interrupt_in_urb) { +- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", +- __func__); +- return -1; +- } +- + usb_fill_int_urb(port->interrupt_in_urb, serial->dev, + usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), + port->interrupt_in_urb->transfer_buffer, +diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c +index 8a23c53b946e..cd6df875163e 100644 +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1252,8 +1252,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) + + static int digi_startup(struct usb_serial *serial) + { ++ struct device *dev = &serial->interface->dev; + struct digi_serial *serial_priv; + int ret; ++ int i; ++ ++ /* check whether the device has the expected number of endpoints */ ++ if (serial->num_port_pointers < serial->type->num_ports + 1) { ++ dev_err(dev, "OOB endpoints missing\n"); ++ return -ENODEV; ++ } ++ ++ for (i = 0; i < serial->type->num_ports + 1 ; i++) { ++ if (!serial->port[i]->read_urb) { ++ dev_err(dev, "bulk-in endpoint missing\n"); ++ return -ENODEV; ++ } ++ if (!serial->port[i]->write_urb) { ++ dev_err(dev, "bulk-out endpoint missing\n"); ++ return -ENODEV; ++ } ++ } + + serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); + if (!serial_priv) +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index b5d8e2544b8f..fb3a832d86e3 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1017,6 +1017,10 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) }, ++ /* ICP DAS I-756xU devices */ ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 7850071c0ae1..334bc600282d 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -872,6 +872,14 @@ + #define NOVITUS_BONO_E_PID 0x6010 + + /* ++ * ICPDAS I-756*U devices ++ */ ++#define ICPDAS_VID 0x1b5c ++#define ICPDAS_I7560U_PID 0x0103 ++#define ICPDAS_I7561U_PID 0x0104 ++#define ICPDAS_I7563U_PID 0x0105 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index fd707d6a10e2..89726f702202 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port, + + static int mct_u232_port_probe(struct usb_serial_port *port) + { ++ struct usb_serial *serial = port->serial; + struct mct_u232_private *priv; + ++ /* check first to simplify error handling */ ++ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { ++ dev_err(&port->dev, "expected endpoint missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + + /* Use second interrupt-in endpoint for reading. */ +- priv->read_urb = port->serial->port[1]->interrupt_in_urb; ++ priv->read_urb = serial->port[1]->interrupt_in_urb; + priv->read_urb->context = port; + + spin_lock_init(&priv->lock); +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 24366a2afea6..99c89d7fa1ad 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1818,6 +1818,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */ ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ + { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index efb727a49262..5c19d3e7b4b8 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -51,6 +51,14 @@ DEVICE(funsoft, FUNSOFT_IDS); + { USB_DEVICE(0x8087, 0x0716) } + DEVICE(flashloader, FLASHLOADER_IDS); + ++/* Google Serial USB SubClass */ ++#define GOOGLE_IDS() \ ++ { USB_VENDOR_AND_INTERFACE_INFO(0x18d1, \ ++ USB_CLASS_VENDOR_SPEC, \ ++ 0x50, \ ++ 0x01) } ++DEVICE(google, GOOGLE_IDS); ++ + /* ViVOpay USB Serial Driver */ + #define VIVOPAY_IDS() \ + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ +@@ -86,6 +94,7 @@ static struct usb_serial_driver * const serial_drivers[] = { + &zio_device, + &funsoft_device, + &flashloader_device, ++ &google_device, + &vivopay_device, + &moto_modem_device, + &hp4x_device, +@@ -98,6 +107,7 @@ static const struct usb_device_id id_table[] = { + ZIO_IDS(), + FUNSOFT_IDS(), + FLASHLOADER_IDS(), ++ GOOGLE_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), + HP4X_IDS(), +diff --git a/drivers/watchdog/rc32434_wdt.c b/drivers/watchdog/rc32434_wdt.c +index 71e78ef4b736..3a75f3b53452 100644 +--- a/drivers/watchdog/rc32434_wdt.c ++++ b/drivers/watchdog/rc32434_wdt.c +@@ -237,7 +237,7 @@ static long rc32434_wdt_ioctl(struct file *file, unsigned int cmd, + return -EINVAL; + /* Fall through */ + case WDIOC_GETTIMEOUT: +- return copy_to_user(argp, &timeout, sizeof(int)); ++ return copy_to_user(argp, &timeout, sizeof(int)) ? -EFAULT : 0; + default: + return -ENOTTY; + } +diff --git a/fs/coredump.c b/fs/coredump.c +index 72f97a56966f..09c201161bff 100644 +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -32,6 +32,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include + #include +@@ -613,6 +616,8 @@ void do_coredump(const siginfo_t *siginfo) + } + } else { + struct inode *inode; ++ int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW | ++ O_LARGEFILE | O_EXCL; + + if (cprm.limit < binfmt->min_coredump) + goto fail_unlock; +@@ -651,10 +656,27 @@ void do_coredump(const siginfo_t *siginfo) + * what matters is that at least one of the two processes + * writes its coredump successfully, not which one. + */ +- cprm.file = filp_open(cn.corename, +- O_CREAT | 2 | O_NOFOLLOW | +- O_LARGEFILE | O_EXCL, +- 0600); ++ if (need_suid_safe) { ++ /* ++ * Using user namespaces, normal user tasks can change ++ * their current->fs->root to point to arbitrary ++ * directories. Since the intention of the "only dump ++ * with a fully qualified path" rule is to control where ++ * coredumps may be placed using root privileges, ++ * current->fs->root must not be used. Instead, use the ++ * root directory of init_task. ++ */ ++ struct path root; ++ ++ task_lock(&init_task); ++ get_fs_root(init_task.fs, &root); ++ task_unlock(&init_task); ++ cprm.file = file_open_root(root.dentry, root.mnt, ++ cn.corename, open_flags, 0600); ++ path_put(&root); ++ } else { ++ cprm.file = filp_open(cn.corename, open_flags, 0600); ++ } + if (IS_ERR(cprm.file)) + goto fail_unlock; + +diff --git a/fs/fhandle.c b/fs/fhandle.c +index d59712dfa3e7..ca3c3dd01789 100644 +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -228,7 +228,7 @@ long do_handle_open(int mountdirfd, + path_put(&path); + return fd; + } +- file = file_open_root(path.dentry, path.mnt, "", open_flag); ++ file = file_open_root(path.dentry, path.mnt, "", open_flag, 0); + if (IS_ERR(file)) { + put_unused_fd(fd); + retval = PTR_ERR(file); +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index ef5f39a73c51..84db6c78541c 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1423,11 +1423,12 @@ out: + /** + * jbd2_mark_journal_empty() - Mark on disk journal as empty. + * @journal: The journal to update. ++ * @write_op: With which operation should we write the journal sb + * + * Update a journal's dynamic superblock fields to show that journal is empty. + * Write updated superblock to disk waiting for IO to complete. + */ +-static void jbd2_mark_journal_empty(journal_t *journal) ++static void jbd2_mark_journal_empty(journal_t *journal, int write_op) + { + journal_superblock_t *sb = journal->j_superblock; + +@@ -1445,7 +1446,7 @@ static void jbd2_mark_journal_empty(journal_t *journal) + sb->s_start = cpu_to_be32(0); + read_unlock(&journal->j_state_lock); + +- jbd2_write_superblock(journal, WRITE_FUA); ++ jbd2_write_superblock(journal, write_op); + + /* Log is no longer empty */ + write_lock(&journal->j_state_lock); +@@ -1730,7 +1731,13 @@ int jbd2_journal_destroy(journal_t *journal) + if (journal->j_sb_buffer) { + if (!is_journal_aborted(journal)) { + mutex_lock(&journal->j_checkpoint_mutex); +- jbd2_mark_journal_empty(journal); ++ ++ write_lock(&journal->j_state_lock); ++ journal->j_tail_sequence = ++ ++journal->j_transaction_sequence; ++ write_unlock(&journal->j_state_lock); ++ ++ jbd2_mark_journal_empty(journal, WRITE_FLUSH_FUA); + mutex_unlock(&journal->j_checkpoint_mutex); + } else + err = -EIO; +@@ -1991,7 +1998,7 @@ int jbd2_journal_flush(journal_t *journal) + * the magic code for a fully-recovered superblock. Any future + * commits of data to the journal will restore the current + * s_start value. */ +- jbd2_mark_journal_empty(journal); ++ jbd2_mark_journal_empty(journal, WRITE_FUA); + mutex_unlock(&journal->j_checkpoint_mutex); + write_lock(&journal->j_state_lock); + J_ASSERT(!journal->j_running_transaction); +@@ -2037,7 +2044,7 @@ int jbd2_journal_wipe(journal_t *journal, int write) + if (write) { + /* Lock to make assertions happy... */ + mutex_lock(&journal->j_checkpoint_mutex); +- jbd2_mark_journal_empty(journal); ++ jbd2_mark_journal_empty(journal, WRITE_FUA); + mutex_unlock(&journal->j_checkpoint_mutex); + } + +diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c +index e36d63ff1783..f90931335c6b 100644 +--- a/fs/ocfs2/dlm/dlmconvert.c ++++ b/fs/ocfs2/dlm/dlmconvert.c +@@ -262,6 +262,7 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, + struct dlm_lock *lock, int flags, int type) + { + enum dlm_status status; ++ u8 old_owner = res->owner; + + mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type, + lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS); +@@ -287,6 +288,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, + status = DLM_DENIED; + goto bail; + } ++ ++ if (lock->ml.type == type && lock->ml.convert_type == LKM_IVMODE) { ++ mlog(0, "last convert request returned DLM_RECOVERING, but " ++ "owner has already queued and sent ast to me. res %.*s, " ++ "(cookie=%u:%llu, type=%d, conv=%d)\n", ++ res->lockname.len, res->lockname.name, ++ dlm_get_lock_cookie_node(be64_to_cpu(lock->ml.cookie)), ++ dlm_get_lock_cookie_seq(be64_to_cpu(lock->ml.cookie)), ++ lock->ml.type, lock->ml.convert_type); ++ status = DLM_NORMAL; ++ goto bail; ++ } ++ + res->state |= DLM_LOCK_RES_IN_PROGRESS; + /* move lock to local convert queue */ + /* do not alter lock refcount. switching lists. */ +@@ -316,11 +330,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, + spin_lock(&res->spinlock); + res->state &= ~DLM_LOCK_RES_IN_PROGRESS; + lock->convert_pending = 0; +- /* if it failed, move it back to granted queue */ ++ /* if it failed, move it back to granted queue. ++ * if master returns DLM_NORMAL and then down before sending ast, ++ * it may have already been moved to granted queue, reset to ++ * DLM_RECOVERING and retry convert */ + if (status != DLM_NORMAL) { + if (status != DLM_NOTQUEUED) + dlm_error(status); + dlm_revert_pending_convert(res, lock); ++ } else if ((res->state & DLM_LOCK_RES_RECOVERING) || ++ (old_owner != res->owner)) { ++ mlog(0, "res %.*s is in recovering or has been recovered.\n", ++ res->lockname.len, res->lockname.name); ++ status = DLM_RECOVERING; + } + bail: + spin_unlock(&res->spinlock); +diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c +index 4b93d96d244f..01be4e409a3f 100644 +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -2040,7 +2040,6 @@ void dlm_move_lockres_to_recovery_list(struct dlm_ctxt *dlm, + dlm_lock_get(lock); + if (lock->convert_pending) { + /* move converting lock back to granted */ +- BUG_ON(i != DLM_CONVERTING_LIST); + mlog(0, "node died with convert pending " + "on %.*s. move back to granted list.\n", + res->lockname.len, res->lockname.name); +diff --git a/fs/open.c b/fs/open.c +index 17679f2b2f1c..dbe5085f7d89 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -945,14 +945,12 @@ struct file *filp_open(const char *filename, int flags, umode_t mode) + EXPORT_SYMBOL(filp_open); + + struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt, +- const char *filename, int flags) ++ const char *filename, int flags, umode_t mode) + { + struct open_flags op; +- int err = build_open_flags(flags, 0, &op); ++ int err = build_open_flags(flags, mode, &op); + if (err) + return ERR_PTR(err); +- if (flags & O_CREAT) +- return ERR_PTR(-EINVAL); + if (!filename && (flags & O_DIRECTORY)) + if (!dentry->d_inode->i_op->lookup) + return ERR_PTR(-ENOTDIR); +diff --git a/fs/splice.c b/fs/splice.c +index e64f59960ec5..cb29a106f71f 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -189,6 +189,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, + unsigned int spd_pages = spd->nr_pages; + int ret, do_wakeup, page_nr; + ++ if (!spd_pages) ++ return 0; ++ + ret = 0; + do_wakeup = 0; + page_nr = 0; +diff --git a/fs/xfs/xfs_attr_list.c b/fs/xfs/xfs_attr_list.c +index 01db96f60cf0..70433d8e11b8 100644 +--- a/fs/xfs/xfs_attr_list.c ++++ b/fs/xfs/xfs_attr_list.c +@@ -205,8 +205,10 @@ xfs_attr_shortform_list(xfs_attr_list_context_t *context) + sbp->namelen, + sbp->valuelen, + &sbp->name[sbp->namelen]); +- if (error) ++ if (error) { ++ kmem_free(sbuf); + return error; ++ } + if (context->seen_enough) + break; + cursor->offset++; +@@ -452,14 +454,13 @@ xfs_attr3_leaf_list_int( + args.rmtblkcnt = xfs_attr3_rmt_blocks( + args.dp->i_mount, valuelen); + retval = xfs_attr_rmtval_get(&args); +- if (retval) +- return retval; +- retval = context->put_listent(context, +- entry->flags, +- name_rmt->name, +- (int)name_rmt->namelen, +- valuelen, +- args.value); ++ if (!retval) ++ retval = context->put_listent(context, ++ entry->flags, ++ name_rmt->name, ++ (int)name_rmt->namelen, ++ valuelen, ++ args.value); + kmem_free(args.value); + } else { + retval = context->put_listent(context, +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 23b2a35d712e..42dd4c916781 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2078,7 +2078,7 @@ extern long do_sys_open(int dfd, const char __user *filename, int flags, + extern struct file *file_open_name(struct filename *, int, umode_t); + extern struct file *filp_open(const char *, int, umode_t); + extern struct file *file_open_root(struct dentry *, struct vfsmount *, +- const char *, int); ++ const char *, int, umode_t); + extern struct file * dentry_open(const struct path *, int, const struct cred *); + extern int filp_close(struct file *, fl_owner_t id); + +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 196d1ea86df0..129438a741bb 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -595,7 +595,7 @@ do { \ + + #define do_trace_printk(fmt, args...) \ + do { \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(fmt) ? fmt : NULL; \ + \ +@@ -639,7 +639,7 @@ int __trace_printk(unsigned long ip, const char *fmt, ...); + */ + + #define trace_puts(str) ({ \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(str) ? str : NULL; \ + \ +@@ -661,7 +661,7 @@ extern void trace_dump_stack(int skip); + #define ftrace_vprintk(fmt, vargs) \ + do { \ + if (__builtin_constant_p(fmt)) { \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(fmt) ? fmt : NULL; \ + \ +diff --git a/include/linux/pci.h b/include/linux/pci.h +index d662546f77d8..ecc6e129faa9 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -344,6 +344,7 @@ struct pci_dev { + unsigned int __aer_firmware_first:1; + unsigned int broken_intx_masking:1; + unsigned int io_window_1k:1; /* Intel P2P bridge 1K I/O windows */ ++ unsigned int non_compliant_bars:1; /* broken BARs; ignore them */ + pci_dev_flags_t dev_flags; + atomic_t enable_cnt; /* pci_enable_device has been called */ + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 46afc8cd69dd..1ad2f185827e 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5064,6 +5064,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu) + + case CPU_UP_PREPARE: + rq->calc_load_update = calc_load_update; ++ account_reset_rq(rq); + break; + + case CPU_ONLINE: +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 675e147a86f2..3ecc6ce65517 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1563,3 +1563,16 @@ static inline u64 irq_time_read(int cpu) + } + #endif /* CONFIG_64BIT */ + #endif /* CONFIG_IRQ_TIME_ACCOUNTING */ ++ ++static inline void account_reset_rq(struct rq *rq) ++{ ++#ifdef CONFIG_IRQ_TIME_ACCOUNTING ++ rq->prev_irq_time = 0; ++#endif ++#ifdef CONFIG_PARAVIRT ++ rq->prev_steal_time = 0; ++#endif ++#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING ++ rq->prev_steal_time_rq = 0; ++#endif ++} +diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c +index 653cbbd9e7ad..b93763d780d6 100644 +--- a/kernel/sysctl_binary.c ++++ b/kernel/sysctl_binary.c +@@ -1320,7 +1320,7 @@ static ssize_t binary_sysctl(const int *name, int nlen, + } + + mnt = task_active_pid_ns(current)->proc_mnt; +- file = file_open_root(mnt->mnt_root, mnt, pathname, flags); ++ file = file_open_root(mnt->mnt_root, mnt, pathname, flags, 0); + result = PTR_ERR(file); + if (IS_ERR(file)) + goto out_putname; +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index a2d62b3b90c7..6ea1b943fb1e 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4457,7 +4457,10 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, + + spd.nr_pages = i; + +- ret = splice_to_pipe(pipe, &spd); ++ if (i) ++ ret = splice_to_pipe(pipe, &spd); ++ else ++ ret = 0; + out: + splice_shrink_spd(&spd); + return ret; +diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c +index 2aefbee93a6d..56e083e26ca9 100644 +--- a/kernel/trace/trace_irqsoff.c ++++ b/kernel/trace/trace_irqsoff.c +@@ -118,8 +118,12 @@ static int func_prolog_dec(struct trace_array *tr, + return 0; + + local_save_flags(*flags); +- /* slight chance to get a false positive on tracing_cpu */ +- if (!irqs_disabled_flags(*flags)) ++ /* ++ * Slight chance to get a false positive on tracing_cpu, ++ * although I'm starting to think there isn't a chance. ++ * Leave this for now just to be paranoid. ++ */ ++ if (!irqs_disabled_flags(*flags) && !preempt_count()) + return 0; + + *data = per_cpu_ptr(tr->trace_buffer.data, cpu); +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index 7c8cef653166..7b900474209d 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -292,6 +292,9 @@ static int t_show(struct seq_file *m, void *v) + const char *str = *fmt; + int i; + ++ if (!*fmt) ++ return 0; ++ + seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt); + + /* +diff --git a/scripts/coccinelle/iterators/use_after_iter.cocci b/scripts/coccinelle/iterators/use_after_iter.cocci +index f085f5968c52..ce8cc9c006e5 100644 +--- a/scripts/coccinelle/iterators/use_after_iter.cocci ++++ b/scripts/coccinelle/iterators/use_after_iter.cocci +@@ -123,7 +123,7 @@ list_remove_head(x,c,...) + | + sizeof(<+...c...+>) + | +-&c->member ++ &c->member + | + c = E + | +diff --git a/scripts/package/mkspec b/scripts/package/mkspec +index 13957602f7ca..c92358d61e26 100755 +--- a/scripts/package/mkspec ++++ b/scripts/package/mkspec +@@ -131,11 +131,11 @@ echo 'rm -rf $RPM_BUILD_ROOT' + echo "" + echo "%post" + echo "if [ -x /sbin/installkernel -a -r /boot/vmlinuz-$KERNELRELEASE -a -r /boot/System.map-$KERNELRELEASE ]; then" +-echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm" +-echo "cp /boot/System.map-$KERNELRELEASE /boot/System.map-$KERNELRELEASE-rpm" ++echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/.vmlinuz-$KERNELRELEASE-rpm" ++echo "cp /boot/System.map-$KERNELRELEASE /boot/.System.map-$KERNELRELEASE-rpm" + echo "rm -f /boot/vmlinuz-$KERNELRELEASE /boot/System.map-$KERNELRELEASE" +-echo "/sbin/installkernel $KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm" +-echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm" ++echo "/sbin/installkernel $KERNELRELEASE /boot/.vmlinuz-$KERNELRELEASE-rpm /boot/.System.map-$KERNELRELEASE-rpm" ++echo "rm -f /boot/.vmlinuz-$KERNELRELEASE-rpm /boot/.System.map-$KERNELRELEASE-rpm" + echo "fi" + echo "" + echo "%files" +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index eef182bea2ad..6d8151d949ca 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -177,8 +177,12 @@ static void cs_automute(struct hda_codec *codec) + snd_hda_gen_update_outputs(codec); + + if (spec->gpio_eapd_hp || spec->gpio_eapd_speaker) { +- spec->gpio_data = spec->gen.hp_jack_present ? +- spec->gpio_eapd_hp : spec->gpio_eapd_speaker; ++ if (spec->gen.automute_speaker) ++ spec->gpio_data = spec->gen.hp_jack_present ? ++ spec->gpio_eapd_hp : spec->gpio_eapd_speaker; ++ else ++ spec->gpio_data = ++ spec->gpio_eapd_hp | spec->gpio_eapd_speaker; + snd_hda_codec_write(codec, 0x01, 0, + AC_VERB_SET_GPIO_DATA, spec->gpio_data); + } +diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c +index 08d8733604a2..339915647c9a 100644 +--- a/sound/pci/intel8x0.c ++++ b/sound/pci/intel8x0.c +@@ -2884,6 +2884,7 @@ static void intel8x0_measure_ac97_clock(struct intel8x0 *chip) + + static struct snd_pci_quirk intel8x0_clock_list[] = { + SND_PCI_QUIRK(0x0e11, 0x008a, "AD1885", 41000), ++ SND_PCI_QUIRK(0x1014, 0x0581, "AD1981B", 48000), + SND_PCI_QUIRK(0x1028, 0x00be, "AD1885", 44100), + SND_PCI_QUIRK(0x1028, 0x0177, "AD1980", 48000), + SND_PCI_QUIRK(0x1028, 0x01ad, "AD1981B", 48000), +diff --git a/sound/usb/clock.c b/sound/usb/clock.c +index 86f80c60b21f..1329d7725196 100644 +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -283,6 +283,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[3]; + int err, crate; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + /* if endpoint doesn't have sampling rate control, bail out */ +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 105ece3c14e3..c686ec8e8fa1 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -409,6 +409,9 @@ exit_clear: + * + * New endpoints will be added to chip->ep_list and must be freed by + * calling snd_usb_endpoint_free(). ++ * ++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that ++ * bNumEndpoints > 1 beforehand. + */ + struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip, + struct usb_host_interface *alts, +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index a82ec53b8fb3..aca30e600bde 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1455,7 +1455,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol, + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(mixer->chip->dev, 1); ++ if (!iface || iface->num_altsetting < 2) ++ return -EINVAL; + alts = &iface->altsetting[1]; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(mixer->chip->dev, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index ede4b92710aa..d2fba888a485 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[1]; + int err; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + data[0] = 1; +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 9a599b1bc6ba..2ad6ba95f02d 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -138,6 +138,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + snd_printk(KERN_ERR "cannot memdup\n"); + return -ENOMEM; + } ++ INIT_LIST_HEAD(&fp->list); + if (fp->nr_rates > MAX_NR_RATES) { + kfree(fp); + return -EINVAL; +@@ -155,19 +156,20 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + stream = (fp->endpoint & USB_DIR_IN) + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); +- if (err < 0) { +- kfree(fp); +- kfree(rate_table); +- return err; +- } ++ if (err < 0) ++ goto error; + if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber || + fp->altset_idx >= iface->num_altsetting) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); ++ if (altsd->bNumEndpoints < 1) { ++ err = -EINVAL; ++ goto error; ++ } ++ + fp->protocol = altsd->bInterfaceProtocol; + + if (fp->datainterval == 0) +@@ -178,6 +180,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + snd_usb_init_pitch(chip, fp->iface, alts, fp); + snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max); + return 0; ++ ++ error: ++ list_del(&fp->list); /* unlink for avoiding double-free */ ++ kfree(fp); ++ kfree(rate_table); ++ return err; + } + + static int create_auto_pcm_quirk(struct snd_usb_audio *chip, +@@ -450,6 +458,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip, + fp->ep_attr = get_endpoint(alts, 0)->bmAttributes; + fp->datainterval = 0; + fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize); ++ INIT_LIST_HEAD(&fp->list); + + switch (fp->maxpacksize) { + case 0x120: +@@ -473,6 +482,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip, + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp); + return err; + } +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 2fb71be5e100..f06c754c9783 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -315,7 +315,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, + /* + * add this endpoint to the chip instance. + * if a stream with the same endpoint already exists, append to it. +- * if not, create a new pcm stream. ++ * if not, create a new pcm stream. note, fp is added to the substream ++ * fmt_list and will be freed on the chip instance release. do not free ++ * fp or do remove it from the substream fmt_list to avoid double-free. + */ + int snd_usb_add_audio_stream(struct snd_usb_audio *chip, + int stream, +@@ -662,6 +664,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) + * (fp->maxpacksize & 0x7ff); + fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no); + fp->clock = clock; ++ INIT_LIST_HEAD(&fp->list); + + /* some quirks for attributes here */ + +@@ -710,6 +713,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) + snd_printdd(KERN_INFO "%d:%u:%d: add audio endpoint %#x\n", dev->devnum, iface_no, altno, fp->endpoint); + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp->rate_table); + kfree(fp->chmap); + kfree(fp); +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index d7d950f51b55..9e5cd217ffaf 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -454,6 +454,16 @@ static struct kvm *kvm_create_vm(unsigned long type) + if (!kvm) + return ERR_PTR(-ENOMEM); + ++ spin_lock_init(&kvm->mmu_lock); ++ atomic_inc(¤t->mm->mm_count); ++ kvm->mm = current->mm; ++ kvm_eventfd_init(kvm); ++ mutex_init(&kvm->lock); ++ mutex_init(&kvm->irq_lock); ++ mutex_init(&kvm->slots_lock); ++ atomic_set(&kvm->users_count, 1); ++ INIT_LIST_HEAD(&kvm->devices); ++ + r = kvm_arch_init_vm(kvm, type); + if (r) + goto out_err_nodisable; +@@ -483,16 +493,6 @@ static struct kvm *kvm_create_vm(unsigned long type) + goto out_err; + } + +- spin_lock_init(&kvm->mmu_lock); +- kvm->mm = current->mm; +- atomic_inc(&kvm->mm->mm_count); +- kvm_eventfd_init(kvm); +- mutex_init(&kvm->lock); +- mutex_init(&kvm->irq_lock); +- mutex_init(&kvm->slots_lock); +- atomic_set(&kvm->users_count, 1); +- INIT_LIST_HEAD(&kvm->devices); +- + r = kvm_init_mmu_notifier(kvm); + if (r) + goto out_err; +@@ -512,6 +512,7 @@ out_err_nodisable: + kfree(kvm->buses[i]); + kfree(kvm->memslots); + kvm_arch_free_vm(kvm); ++ mmdrop(current->mm); + return ERR_PTR(r); + } + diff --git a/patch/kernel/cubox-dev/patch-3.14.66-67.patch b/patch/kernel/cubox-dev/patch-3.14.66-67.patch new file mode 100644 index 000000000..c87578d94 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.66-67.patch @@ -0,0 +1,1001 @@ +diff --git a/Makefile b/Makefile +index 9053bda13f60..0a28325ef49c 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 66 ++SUBLEVEL = 67 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c +index 568b2c61ea02..3cad8aadc69e 100644 +--- a/arch/parisc/kernel/parisc_ksyms.c ++++ b/arch/parisc/kernel/parisc_ksyms.c +@@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64); + EXPORT_SYMBOL(lclear_user); + EXPORT_SYMBOL(lstrnlen_user); + +-/* Global fixups */ +-extern void fixup_get_user_skip_1(void); +-extern void fixup_get_user_skip_2(void); +-extern void fixup_put_user_skip_1(void); +-extern void fixup_put_user_skip_2(void); ++/* Global fixups - defined as int to avoid creation of function pointers */ ++extern int fixup_get_user_skip_1; ++extern int fixup_get_user_skip_2; ++extern int fixup_put_user_skip_1; ++extern int fixup_put_user_skip_2; + EXPORT_SYMBOL(fixup_get_user_skip_1); + EXPORT_SYMBOL(fixup_get_user_skip_2); + EXPORT_SYMBOL(fixup_put_user_skip_1); +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c +index 47ee620d15d2..05aab1333dfa 100644 +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -802,6 +802,9 @@ void notrace handle_interruption(int code, struct pt_regs *regs) + + if (fault_space == 0 && !in_atomic()) + { ++ /* Clean up and return if in exception table. */ ++ if (fixup_exception(regs)) ++ return; + pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC); + parisc_terminate("Kernel Fault", regs, code, fault_address); + } +diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c +index a1d684266549..d92ab57bffaf 100644 +--- a/drivers/gpu/drm/radeon/radeon_sa.c ++++ b/drivers/gpu/drm/radeon/radeon_sa.c +@@ -349,8 +349,10 @@ int radeon_sa_bo_new(struct radeon_device *rdev, + /* see if we can skip over some allocations */ + } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); + +- for (i = 0; i < RADEON_NUM_RINGS; ++i) +- radeon_fence_ref(fences[i]); ++ for (i = 0; i < RADEON_NUM_RINGS; ++i) { ++ if (fences[i]) ++ radeon_fence_ref(fences[i]); ++ } + + spin_unlock(&sa_manager->wq.lock); + r = radeon_fence_wait_any(rdev, fences, false); +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c +index c9053f799abe..93abc111307f 100644 +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -2914,6 +2914,7 @@ static struct si_dpm_quirk si_dpm_quirk_list[] = { + /* PITCAIRN - https://bugs.freedesktop.org/show_bug.cgi?id=76490 */ + { PCI_VENDOR_ID_ATI, 0x6810, 0x1462, 0x3036, 0, 120000 }, + { PCI_VENDOR_ID_ATI, 0x6811, 0x174b, 0xe271, 0, 120000 }, ++ { PCI_VENDOR_ID_ATI, 0x6811, 0x174b, 0x2015, 0, 120000 }, + { PCI_VENDOR_ID_ATI, 0x6810, 0x174b, 0xe271, 85000, 90000 }, + { 0, 0, 0, 0 }, + }; +@@ -3006,6 +3007,10 @@ static void si_apply_state_adjust_rules(struct radeon_device *rdev, + ps->performance_levels[i].sclk = max_sclk; + } + } ++ /* limit mclk on all R7 370 parts for stability */ ++ if (rdev->pdev->device == 0x6811 && ++ rdev->pdev->revision == 0x81) ++ max_mclk = 120000; + + /* XXX validate the min clocks required for display */ + +diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c +index ced6d61c1787..63de05743259 100644 +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -940,14 +940,6 @@ static int usbhid_output_raw_report(struct hid_device *hid, __u8 *buf, size_t co + return ret; + } + +-static void usbhid_restart_queues(struct usbhid_device *usbhid) +-{ +- if (usbhid->urbout && !test_bit(HID_OUT_RUNNING, &usbhid->iofl)) +- usbhid_restart_out_queue(usbhid); +- if (!test_bit(HID_CTRL_RUNNING, &usbhid->iofl)) +- usbhid_restart_ctrl_queue(usbhid); +-} +- + static void hid_free_buffers(struct usb_device *dev, struct hid_device *hid) + { + struct usbhid_device *usbhid = hid->driver_data; +@@ -1376,6 +1368,37 @@ static void hid_cease_io(struct usbhid_device *usbhid) + usb_kill_urb(usbhid->urbout); + } + ++static void hid_restart_io(struct hid_device *hid) ++{ ++ struct usbhid_device *usbhid = hid->driver_data; ++ int clear_halt = test_bit(HID_CLEAR_HALT, &usbhid->iofl); ++ int reset_pending = test_bit(HID_RESET_PENDING, &usbhid->iofl); ++ ++ spin_lock_irq(&usbhid->lock); ++ clear_bit(HID_SUSPENDED, &usbhid->iofl); ++ usbhid_mark_busy(usbhid); ++ ++ if (clear_halt || reset_pending) ++ schedule_work(&usbhid->reset_work); ++ usbhid->retry_delay = 0; ++ spin_unlock_irq(&usbhid->lock); ++ ++ if (reset_pending || !test_bit(HID_STARTED, &usbhid->iofl)) ++ return; ++ ++ if (!clear_halt) { ++ if (hid_start_in(hid) < 0) ++ hid_io_error(hid); ++ } ++ ++ spin_lock_irq(&usbhid->lock); ++ if (usbhid->urbout && !test_bit(HID_OUT_RUNNING, &usbhid->iofl)) ++ usbhid_restart_out_queue(usbhid); ++ if (!test_bit(HID_CTRL_RUNNING, &usbhid->iofl)) ++ usbhid_restart_ctrl_queue(usbhid); ++ spin_unlock_irq(&usbhid->lock); ++} ++ + /* Treat USB reset pretty much the same as suspend/resume */ + static int hid_pre_reset(struct usb_interface *intf) + { +@@ -1425,14 +1448,14 @@ static int hid_post_reset(struct usb_interface *intf) + return 1; + } + ++ /* No need to do another reset or clear a halted endpoint */ + spin_lock_irq(&usbhid->lock); + clear_bit(HID_RESET_PENDING, &usbhid->iofl); ++ clear_bit(HID_CLEAR_HALT, &usbhid->iofl); + spin_unlock_irq(&usbhid->lock); + hid_set_idle(dev, intf->cur_altsetting->desc.bInterfaceNumber, 0, 0); +- status = hid_start_in(hid); +- if (status < 0) +- hid_io_error(hid); +- usbhid_restart_queues(usbhid); ++ ++ hid_restart_io(hid); + + return 0; + } +@@ -1455,25 +1478,9 @@ void usbhid_put_power(struct hid_device *hid) + #ifdef CONFIG_PM + static int hid_resume_common(struct hid_device *hid, bool driver_suspended) + { +- struct usbhid_device *usbhid = hid->driver_data; +- int status; +- +- spin_lock_irq(&usbhid->lock); +- clear_bit(HID_SUSPENDED, &usbhid->iofl); +- usbhid_mark_busy(usbhid); +- +- if (test_bit(HID_CLEAR_HALT, &usbhid->iofl) || +- test_bit(HID_RESET_PENDING, &usbhid->iofl)) +- schedule_work(&usbhid->reset_work); +- usbhid->retry_delay = 0; +- +- usbhid_restart_queues(usbhid); +- spin_unlock_irq(&usbhid->lock); +- +- status = hid_start_in(hid); +- if (status < 0) +- hid_io_error(hid); ++ int status = 0; + ++ hid_restart_io(hid); + if (driver_suspended && hid->driver && hid->driver->resume) + status = hid->driver->resume(hid); + return status; +@@ -1542,12 +1549,8 @@ static int hid_suspend(struct usb_interface *intf, pm_message_t message) + static int hid_resume(struct usb_interface *intf) + { + struct hid_device *hid = usb_get_intfdata (intf); +- struct usbhid_device *usbhid = hid->driver_data; + int status; + +- if (!test_bit(HID_STARTED, &usbhid->iofl)) +- return 0; +- + status = hid_resume_common(hid, true); + dev_dbg(&intf->dev, "resume status %d\n", status); + return 0; +@@ -1556,10 +1559,8 @@ static int hid_resume(struct usb_interface *intf) + static int hid_reset_resume(struct usb_interface *intf) + { + struct hid_device *hid = usb_get_intfdata(intf); +- struct usbhid_device *usbhid = hid->driver_data; + int status; + +- clear_bit(HID_SUSPENDED, &usbhid->iofl); + status = hid_post_reset(intf); + if (status >= 0 && hid->driver && hid->driver->reset_resume) { + int ret = hid->driver->reset_resume(hid); +diff --git a/drivers/hwmon/max1111.c b/drivers/hwmon/max1111.c +index eda077de8a9f..f787f04a0d1a 100644 +--- a/drivers/hwmon/max1111.c ++++ b/drivers/hwmon/max1111.c +@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111; + + int max1111_read_channel(int channel) + { ++ if (!the_max1111 || !the_max1111->spi) ++ return -ENODEV; ++ + return max1111_read(&the_max1111->spi->dev, channel); + } + EXPORT_SYMBOL(max1111_read_channel); +@@ -260,6 +263,9 @@ static int max1111_remove(struct spi_device *spi) + { + struct max1111_data *data = spi_get_drvdata(spi); + ++#ifdef CONFIG_SHARPSL_PM ++ the_max1111 = NULL; ++#endif + hwmon_device_unregister(data->hwmon_dev); + sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group); + sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); +diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c +index 5c9e3123ad2e..6bc70ce564b5 100644 +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1522,7 +1522,7 @@ static int usbvision_probe(struct usb_interface *intf, + const struct usb_host_interface *interface; + struct usb_usbvision *usbvision = NULL; + const struct usb_endpoint_descriptor *endpoint; +- int model, i; ++ int model, i, ret; + + PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u", + dev->descriptor.idVendor, +@@ -1531,33 +1531,51 @@ static int usbvision_probe(struct usb_interface *intf, + model = devid->driver_info; + if (model < 0 || model >= usbvision_device_data_size) { + PDEBUG(DBG_PROBE, "model out of bounds %d", model); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_usb; + } + printk(KERN_INFO "%s: %s found\n", __func__, + usbvision_device_data[model].model_string); + + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; +- else ++ else if (ifnum < dev->actconfig->desc.bNumInterfaces) + interface = &dev->actconfig->interface[ifnum]->altsetting[0]; ++ else { ++ dev_err(&intf->dev, "interface %d is invalid, max is %d\n", ++ ifnum, dev->actconfig->desc.bNumInterfaces - 1); ++ ret = -ENODEV; ++ goto err_usb; ++ } ++ ++ if (interface->desc.bNumEndpoints < 2) { ++ dev_err(&intf->dev, "interface %d has %d endpoints, but must" ++ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); ++ ret = -ENODEV; ++ goto err_usb; ++ } + endpoint = &interface->endpoint[1].desc; ++ + if (!usb_endpoint_xfer_isoc(endpoint)) { + dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", + __func__, ifnum); + dev_err(&intf->dev, "%s: Endpoint attributes %d", + __func__, endpoint->bmAttributes); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_usb; + } + if (usb_endpoint_dir_out(endpoint)) { + dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n", + __func__, ifnum); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_usb; + } + + usbvision = usbvision_alloc(dev, intf); + if (usbvision == NULL) { + dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_usb; + } + + if (dev->descriptor.bNumConfigurations > 1) +@@ -1576,8 +1594,8 @@ static int usbvision_probe(struct usb_interface *intf, + usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL); + if (usbvision->alt_max_pkt_size == NULL) { + dev_err(&intf->dev, "usbvision: out of memory!\n"); +- usbvision_release(usbvision); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_pkt; + } + + for (i = 0; i < usbvision->num_alt; i++) { +@@ -1612,6 +1630,12 @@ static int usbvision_probe(struct usb_interface *intf, + + PDEBUG(DBG_PROBE, "success"); + return 0; ++ ++err_pkt: ++ usbvision_release(usbvision); ++err_usb: ++ usb_put_dev(dev); ++ return ret; + } + + +diff --git a/drivers/net/ethernet/jme.c b/drivers/net/ethernet/jme.c +index f5685c0d0579..2b20e2368fca 100644 +--- a/drivers/net/ethernet/jme.c ++++ b/drivers/net/ethernet/jme.c +@@ -3287,13 +3287,14 @@ jme_resume(struct device *dev) + jme_reset_phy_processor(jme); + jme_phy_calibration(jme); + jme_phy_setEA(jme); +- jme_start_irq(jme); + netif_device_attach(netdev); + + atomic_inc(&jme->link_changing); + + jme_reset_link(jme); + ++ jme_start_irq(jme); ++ + return 0; + } + +diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_main.c b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +index 656c65ddadb4..e845eadaf8d0 100644 +--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +@@ -1648,7 +1648,18 @@ static void ql_process_mac_rx_skb(struct ql_adapter *qdev, + return; + } + skb_reserve(new_skb, NET_IP_ALIGN); ++ ++ pci_dma_sync_single_for_cpu(qdev->pdev, ++ dma_unmap_addr(sbq_desc, mapaddr), ++ dma_unmap_len(sbq_desc, maplen), ++ PCI_DMA_FROMDEVICE); ++ + memcpy(skb_put(new_skb, length), skb->data, length); ++ ++ pci_dma_sync_single_for_device(qdev->pdev, ++ dma_unmap_addr(sbq_desc, mapaddr), ++ dma_unmap_len(sbq_desc, maplen), ++ PCI_DMA_FROMDEVICE); + skb = new_skb; + + /* Frame error, so drop the packet. */ +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 58f1a09d6f1d..43b142a2ee79 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1156,7 +1156,8 @@ static void sh_eth_ring_format(struct net_device *ndev) + mdp->dirty_rx = (u32) (i - mdp->num_rx_ring); + + /* Mark the last entry as wrapping the ring. */ +- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); ++ if (rxdesc) ++ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); + + memset(mdp->tx_ring, 0, tx_ringsize); + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index a2d7d5f066f1..14a8d2958698 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -2220,7 +2220,7 @@ int ppp_register_net_channel(struct net *net, struct ppp_channel *chan) + + pch->ppp = NULL; + pch->chan = chan; +- pch->chan_net = net; ++ pch->chan_net = get_net(net); + chan->ppp = pch; + init_ppp_file(&pch->file, CHANNEL); + pch->file.hdrlen = chan->hdrlen; +@@ -2317,6 +2317,8 @@ ppp_unregister_channel(struct ppp_channel *chan) + spin_lock_bh(&pn->all_channels_lock); + list_del(&pch->list); + spin_unlock_bh(&pn->all_channels_lock); ++ put_net(pch->chan_net); ++ pch->chan_net = NULL; + + pch->file.dead = 1; + wake_up_interruptible(&pch->file.rwait); +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 75d7d9dbbe35..c6637229bdb8 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -423,7 +423,11 @@ advance: + + iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber; + +- /* reset data interface */ ++ /* Reset data interface. Some devices will not reset properly ++ * unless they are configured first. Toggle the altsetting to ++ * force a reset ++ */ ++ usb_set_interface(dev->udev, iface_no, data_altsetting); + temp = usb_set_interface(dev->udev, iface_no, 0); + if (temp) { + dev_dbg(&intf->dev, "set interface failed\n"); +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 3580938246b0..f2307bb3cb07 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -737,6 +737,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */ + {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */ + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ ++ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 23dc1316c1c2..28ecd7573624 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1718,6 +1718,13 @@ out3: + if (info->unbind) + info->unbind (dev, udev); + out1: ++ /* subdrivers must undo all they did in bind() if they ++ * fail it, but we may fail later and a deferred kevent ++ * may trigger an error resubmitting itself and, worse, ++ * schedule a timer. So we kill it all just in case. ++ */ ++ cancel_work_sync(&dev->kevent); ++ del_timer_sync(&dev->delay); + free_netdev(net); + out: + return status; +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index bcfff0d62de4..2dfa1478d7d1 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -2545,7 +2545,7 @@ fst_add_one(struct pci_dev *pdev, const struct pci_device_id *ent) + dev->mem_start = card->phys_mem + + BUF_OFFSET ( txBuffer[i][0][0]); + dev->mem_end = card->phys_mem +- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]); ++ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]); + dev->base_addr = card->pci_conf; + dev->irq = card->irq; + +diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c +index 971d770722cf..2ac05486424b 100644 +--- a/drivers/net/wireless/ath/ath9k/eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/eeprom.c +@@ -408,10 +408,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + + if (match) { + if (AR_SREV_9287(ah)) { +- /* FIXME: array overrun? */ + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_9287[idxL].pwrPdg[i], + data_9287[idxL].vpdPdg[i], +@@ -421,7 +420,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + } else if (eeprom_4k) { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_4k[idxL].pwrPdg[i], + data_4k[idxL].vpdPdg[i], +@@ -431,7 +430,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + } else { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_def[idxL].pwrPdg[i], + data_def[idxL].vpdPdg[i], +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index f7fdc2c4f8b7..dcee3f09793d 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5231,6 +5231,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + usb_set_usb2_hardware_lpm(udev, 0); + + bos = udev->bos; ++ udev->bos = NULL; + + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency +@@ -5339,11 +5340,8 @@ done: + usb_set_usb2_hardware_lpm(udev, 1); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); +- /* release the new BOS descriptor allocated by hub_port_init() */ +- if (udev->bos != bos) { +- usb_release_bos_descriptor(udev); +- udev->bos = bos; +- } ++ usb_release_bos_descriptor(udev); ++ udev->bos = bos; + return 0; + + re_enumerate: +diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c +index d49f9c326035..c116faed35ea 100644 +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -166,7 +166,8 @@ static int usbhsf_pkt_handler(struct usbhs_pipe *pipe, int type) + goto __usbhs_pkt_handler_end; + } + +- ret = func(pkt, &is_done); ++ if (likely(func)) ++ ret = func(pkt, &is_done); + + if (is_done) + __usbhsf_pkt_del(pkt); +@@ -933,6 +934,7 @@ static int usbhsf_dma_try_pop(struct usbhs_pkt *pkt, int *is_done) + + pkt->trans = len; + ++ usbhsf_tx_irq_ctrl(pipe, 0); + INIT_WORK(&pkt->work, xfer_work); + schedule_work(&pkt->work); + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 5af64e966ed6..082b23be5409 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -503,9 +503,19 @@ static void eoi_pirq(struct irq_data *data) + struct physdev_eoi eoi = { .irq = pirq_from_irq(data->irq) }; + int rc = 0; + +- irq_move_irq(data); ++ if (!VALID_EVTCHN(evtchn)) ++ return; + +- if (VALID_EVTCHN(evtchn)) ++ if (unlikely(irqd_is_setaffinity_pending(data))) { ++ int masked = test_and_set_mask(evtchn); ++ ++ clear_evtchn(evtchn); ++ ++ irq_move_masked_irq(data); ++ ++ if (!masked) ++ unmask_evtchn(evtchn); ++ } else + clear_evtchn(evtchn); + + if (pirq_needs_eoi(data->irq)) { +@@ -1395,9 +1405,19 @@ static void ack_dynirq(struct irq_data *data) + { + int evtchn = evtchn_from_irq(data->irq); + +- irq_move_irq(data); ++ if (!VALID_EVTCHN(evtchn)) ++ return; + +- if (VALID_EVTCHN(evtchn)) ++ if (unlikely(irqd_is_setaffinity_pending(data))) { ++ int masked = test_and_set_mask(evtchn); ++ ++ clear_evtchn(evtchn); ++ ++ irq_move_masked_irq(data); ++ ++ if (!masked) ++ unmask_evtchn(evtchn); ++ } else + clear_evtchn(evtchn); + } + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 96fe2c175a73..bb39399f3ef7 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -847,6 +847,29 @@ do { \ + #include "extents_status.h" + + /* ++ * Lock subclasses for i_data_sem in the ext4_inode_info structure. ++ * ++ * These are needed to avoid lockdep false positives when we need to ++ * allocate blocks to the quota inode during ext4_map_blocks(), while ++ * holding i_data_sem for a normal (non-quota) inode. Since we don't ++ * do quota tracking for the quota inode, this avoids deadlock (as ++ * well as infinite recursion, since it isn't turtles all the way ++ * down...) ++ * ++ * I_DATA_SEM_NORMAL - Used for most inodes ++ * I_DATA_SEM_OTHER - Used by move_inode.c for the second normal inode ++ * where the second inode has larger inode number ++ * than the first ++ * I_DATA_SEM_QUOTA - Used for quota inodes only ++ */ ++enum { ++ I_DATA_SEM_NORMAL = 0, ++ I_DATA_SEM_OTHER, ++ I_DATA_SEM_QUOTA, ++}; ++ ++ ++/* + * fourth extended file system inode data in memory + */ + struct ext4_inode_info { +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c +index 773b503bd18c..12a8148f9c58 100644 +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -154,10 +154,10 @@ ext4_double_down_write_data_sem(struct inode *first, struct inode *second) + { + if (first < second) { + down_write(&EXT4_I(first)->i_data_sem); +- down_write_nested(&EXT4_I(second)->i_data_sem, SINGLE_DEPTH_NESTING); ++ down_write_nested(&EXT4_I(second)->i_data_sem, I_DATA_SEM_OTHER); + } else { + down_write(&EXT4_I(second)->i_data_sem); +- down_write_nested(&EXT4_I(first)->i_data_sem, SINGLE_DEPTH_NESTING); ++ down_write_nested(&EXT4_I(first)->i_data_sem, I_DATA_SEM_OTHER); + + } + } +@@ -1114,6 +1114,13 @@ mext_check_arguments(struct inode *orig_inode, + return -EINVAL; + } + ++ if (IS_NOQUOTA(orig_inode) || IS_NOQUOTA(donor_inode)) { ++ ext4_debug("ext4 move extent: The argument files should " ++ "not be quota files [ino:orig %lu, donor %lu]\n", ++ orig_inode->i_ino, donor_inode->i_ino); ++ return -EBUSY; ++ } ++ + /* Ext4 move extent supports only extent based file */ + if (!(ext4_test_inode_flag(orig_inode, EXT4_INODE_EXTENTS))) { + ext4_debug("ext4 move extent: orig file is not extents " +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index c05fc3aef69f..64cd8114f75d 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5123,6 +5123,20 @@ static int ext4_quota_on_mount(struct super_block *sb, int type) + EXT4_SB(sb)->s_jquota_fmt, type); + } + ++static void lockdep_set_quota_inode(struct inode *inode, int subclass) ++{ ++ struct ext4_inode_info *ei = EXT4_I(inode); ++ ++ /* The first argument of lockdep_set_subclass has to be ++ * *exactly* the same as the argument to init_rwsem() --- in ++ * this case, in init_once() --- or lockdep gets unhappy ++ * because the name of the lock is set using the ++ * stringification of the argument to init_rwsem(). ++ */ ++ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */ ++ lockdep_set_subclass(&ei->i_data_sem, subclass); ++} ++ + /* + * Standard function to be called on quota_on + */ +@@ -5162,8 +5176,12 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + if (err) + return err; + } +- +- return dquot_quota_on(sb, type, format_id, path); ++ lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA); ++ err = dquot_quota_on(sb, type, format_id, path); ++ if (err) ++ lockdep_set_quota_inode(path->dentry->d_inode, ++ I_DATA_SEM_NORMAL); ++ return err; + } + + static int ext4_quota_enable(struct super_block *sb, int type, int format_id, +@@ -5189,8 +5207,11 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, + + /* Don't account quota for quota files to avoid recursion */ + qf_inode->i_flags |= S_NOQUOTA; ++ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA); + err = dquot_enable(qf_inode, type, format_id, flags); + iput(qf_inode); ++ if (err) ++ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL); + + return err; + } +diff --git a/kernel/events/core.c b/kernel/events/core.c +index bfd91336e888..cbd549ee09e4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1400,14 +1400,14 @@ event_sched_out(struct perf_event *event, + + perf_pmu_disable(event->pmu); + ++ event->tstamp_stopped = tstamp; ++ event->pmu->del(event, 0); ++ event->oncpu = -1; + event->state = PERF_EVENT_STATE_INACTIVE; + if (event->pending_disable) { + event->pending_disable = 0; + event->state = PERF_EVENT_STATE_OFF; + } +- event->tstamp_stopped = tstamp; +- event->pmu->del(event, 0); +- event->oncpu = -1; + + if (!is_software_event(event)) + cpuctx->active_oncpu--; +diff --git a/mm/page_isolation.c b/mm/page_isolation.c +index d1473b2e9481..88bdbf48cf6c 100644 +--- a/mm/page_isolation.c ++++ b/mm/page_isolation.c +@@ -259,11 +259,11 @@ struct page *alloc_migrate_target(struct page *page, unsigned long private, + * now as a simple work-around, we use the next node for destination. + */ + if (PageHuge(page)) { +- nodemask_t src = nodemask_of_node(page_to_nid(page)); +- nodemask_t dst; +- nodes_complement(dst, src); ++ int node = next_online_node(page_to_nid(page)); ++ if (node == MAX_NUMNODES) ++ node = first_online_node; + return alloc_huge_page_node(page_hstate(compound_head(page)), +- next_node(page_to_nid(page), dst)); ++ node); + } + + if (PageHighMem(page)) +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 6970e36ad7b8..b0fe13529033 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1939,10 +1939,14 @@ void udp_v4_early_demux(struct sk_buff *skb) + if (!in_dev) + return; + +- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr, +- iph->protocol); +- if (!ours) +- return; ++ /* we are supposed to accept bcast packets */ ++ if (skb->pkt_type == PACKET_MULTICAST) { ++ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr, ++ iph->protocol); ++ if (!ours) ++ return; ++ } ++ + sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr, + uh->source, iph->saddr, dif); + } else if (skb->pkt_type == PACKET_HOST) { +diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c +index 8af3eb57f438..c7c8f71d0d48 100644 +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, + *fragoff = _frag_off; + return hp->nexthdr; + } +- return -ENOENT; ++ if (!found) ++ return -ENOENT; ++ if (fragoff) ++ *fragoff = _frag_off; ++ break; + } + hdrlen = 8; + } else if (nexthdr == NEXTHDR_AUTH) { +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 657639d39f70..57011ec645ea 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -273,12 +273,12 @@ static int ip6_tnl_create2(struct net_device *dev) + + t = netdev_priv(dev); + ++ dev->rtnl_link_ops = &ip6_link_ops; + err = register_netdevice(dev); + if (err < 0) + goto out; + + strcpy(t->parms.name, dev->name); +- dev->rtnl_link_ops = &ip6_link_ops; + + dev_hold(dev); + ip6_tnl_link(ip6n, t); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 38625a91ec94..d2013c718112 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -868,11 +868,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + ret = udpv6_queue_rcv_skb(sk, skb); + sock_put(sk); + +- /* a return value > 0 means to resubmit the input, but +- * it wants the return to be -protocol, or 0 +- */ ++ /* a return value > 0 means to resubmit the input */ + if (ret > 0) +- return -ret; ++ return ret; + + return 0; + } +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 0b44d855269c..0693f019fb0f 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *skb) + struct l2tp_tunnel *tunnel = NULL; + int length; + +- /* Point to L2TP header */ +- optr = ptr = skb->data; +- + if (!pskb_may_pull(skb, 4)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; + session_id = ntohl(*((__be32 *) ptr)); + ptr += 4; + +@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *skb) + if (!pskb_may_pull(skb, length)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; ++ ptr += 4; + pr_debug("%s: ip recv\n", tunnel->name); + print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); + } +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 7704ea9502fd..15f1e4479926 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff *skb) + struct l2tp_tunnel *tunnel = NULL; + int length; + +- /* Point to L2TP header */ +- optr = ptr = skb->data; +- + if (!pskb_may_pull(skb, 4)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; + session_id = ntohl(*((__be32 *) ptr)); + ptr += 4; + +@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff *skb) + if (!pskb_may_pull(skb, length)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; ++ ptr += 4; + pr_debug("%s: ip recv\n", tunnel->name); + print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); + } +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 9abb445ea261..8a87e78b269f 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2087,7 +2087,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + struct ieee80211_sub_if_data *sdata = rx->sdata; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- u16 q, hdrlen; ++ u16 ac, q, hdrlen; + + hdr = (struct ieee80211_hdr *) skb->data; + hdrlen = ieee80211_hdrlen(hdr->frame_control); +@@ -2157,7 +2157,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + ether_addr_equal(sdata->vif.addr, hdr->addr3)) + return RX_CONTINUE; + +- q = ieee80211_select_queue_80211(sdata, skb, hdr); ++ ac = ieee80211_select_queue_80211(sdata, skb, hdr); ++ q = sdata->vif.hw_queue[ac]; + if (ieee80211_queue_stopped(&local->hw, q)) { + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion); + return RX_DROP_MONITOR; +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 1b9b4528b5f3..4395f295446d 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -519,6 +519,8 @@ static int sctp_v6_cmp_addr(const union sctp_addr *addr1, + } + return 0; + } ++ if (addr1->v6.sin6_port != addr2->v6.sin6_port) ++ return 0; + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; + /* If this is a linklocal address, compare the scope_id. */ +diff --git a/net/socket.c b/net/socket.c +index b72fc137e1a6..5940690476c9 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2400,31 +2400,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + break; + } + +-out_put: +- fput_light(sock->file, fput_needed); +- + if (err == 0) +- return datagrams; ++ goto out_put; + +- if (datagrams != 0) { ++ if (datagrams == 0) { ++ datagrams = err; ++ goto out_put; ++ } ++ ++ /* ++ * We may return less entries than requested (vlen) if the ++ * sock is non block and there aren't enough datagrams... ++ */ ++ if (err != -EAGAIN) { + /* +- * We may return less entries than requested (vlen) if the +- * sock is non block and there aren't enough datagrams... ++ * ... or if recvmsg returns an error after we ++ * received some datagrams, where we record the ++ * error to return on the next call or if the ++ * app asks about it using getsockopt(SO_ERROR). + */ +- if (err != -EAGAIN) { +- /* +- * ... or if recvmsg returns an error after we +- * received some datagrams, where we record the +- * error to return on the next call or if the +- * app asks about it using getsockopt(SO_ERROR). +- */ +- sock->sk->sk_err = -err; +- } +- +- return datagrams; ++ sock->sk->sk_err = -err; + } ++out_put: ++ fput_light(sock->file, fput_needed); + +- return err; ++ return datagrams; + } + + SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, +diff --git a/sound/core/timer.c b/sound/core/timer.c +index d90d8f4b85fe..38742e826900 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1012,8 +1012,8 @@ static int snd_timer_s_start(struct snd_timer * timer) + njiff += timer->sticks - priv->correction; + priv->correction = 0; + } +- priv->last_expires = priv->tlist.expires = njiff; +- add_timer(&priv->tlist); ++ priv->last_expires = njiff; ++ mod_timer(&priv->tlist, njiff); + return 0; + } + diff --git a/patch/kernel/cubox-dev/patch-3.14.67-68.patch b/patch/kernel/cubox-dev/patch-3.14.67-68.patch new file mode 100644 index 000000000..8e6aef3cc --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.67-68.patch @@ -0,0 +1,1259 @@ +diff --git a/Makefile b/Makefile +index 0a28325ef49c..5ec8a7dda8ba 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 67 ++SUBLEVEL = 68 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/mach-omap2/cpuidle34xx.c b/arch/arm/mach-omap2/cpuidle34xx.c +index e18709d3b95d..38e1bdcaf015 100644 +--- a/arch/arm/mach-omap2/cpuidle34xx.c ++++ b/arch/arm/mach-omap2/cpuidle34xx.c +@@ -34,6 +34,7 @@ + #include "pm.h" + #include "control.h" + #include "common.h" ++#include "soc.h" + + /* Mach specific information to be recorded in the C-state driver_data */ + struct omap3_idle_statedata { +@@ -322,6 +323,69 @@ static struct cpuidle_driver omap3_idle_driver = { + .safe_state_index = 0, + }; + ++/* ++ * Numbers based on measurements made in October 2009 for PM optimized kernel ++ * with CPU freq enabled on device Nokia N900. Assumes OPP2 (main idle OPP, ++ * and worst case latencies). ++ */ ++static struct cpuidle_driver omap3430_idle_driver = { ++ .name = "omap3430_idle", ++ .owner = THIS_MODULE, ++ .states = { ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 110 + 162, ++ .target_residency = 5, ++ .name = "C1", ++ .desc = "MPU ON + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 106 + 180, ++ .target_residency = 309, ++ .name = "C2", ++ .desc = "MPU ON + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 107 + 410, ++ .target_residency = 46057, ++ .name = "C3", ++ .desc = "MPU RET + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 121 + 3374, ++ .target_residency = 46057, ++ .name = "C4", ++ .desc = "MPU OFF + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 855 + 1146, ++ .target_residency = 46057, ++ .name = "C5", ++ .desc = "MPU RET + CORE RET", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 7580 + 4134, ++ .target_residency = 484329, ++ .name = "C6", ++ .desc = "MPU OFF + CORE RET", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 7505 + 15274, ++ .target_residency = 484329, ++ .name = "C7", ++ .desc = "MPU OFF + CORE OFF", ++ }, ++ }, ++ .state_count = ARRAY_SIZE(omap3_idle_data), ++ .safe_state_index = 0, ++}; ++ + /* Public functions */ + + /** +@@ -340,5 +404,8 @@ int __init omap3_idle_init(void) + if (!mpu_pd || !core_pd || !per_pd || !cam_pd) + return -ENODEV; + +- return cpuidle_register(&omap3_idle_driver, NULL); ++ if (cpu_is_omap3430()) ++ return cpuidle_register(&omap3430_idle_driver, NULL); ++ else ++ return cpuidle_register(&omap3_idle_driver, NULL); + } +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index 399af1e9f6e1..4bfd470b6d55 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -1439,9 +1439,7 @@ static void _enable_sysc(struct omap_hwmod *oh) + (sf & SYSC_HAS_CLOCKACTIVITY)) + _set_clockactivity(oh, oh->class->sysc->clockact, &v); + +- /* If the cached value is the same as the new value, skip the write */ +- if (oh->_sysc_cache != v) +- _write_sysconfig(v, oh); ++ _write_sysconfig(v, oh); + + /* + * Set the autoidle bit only after setting the smartidle bit +@@ -1504,7 +1502,9 @@ static void _idle_sysc(struct omap_hwmod *oh) + _set_master_standbymode(oh, idlemode, &v); + } + +- _write_sysconfig(v, oh); ++ /* If the cached value is the same as the new value, skip the write */ ++ if (oh->_sysc_cache != v) ++ _write_sysconfig(v, oh); + } + + /** +diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h +index d866959e5685..d2ad00a42234 100644 +--- a/arch/x86/include/asm/xen/hypervisor.h ++++ b/arch/x86/include/asm/xen/hypervisor.h +@@ -57,4 +57,6 @@ static inline bool xen_x2apic_para_available(void) + } + #endif + ++extern void xen_set_iopl_mask(unsigned mask); ++ + #endif /* _ASM_X86_XEN_HYPERVISOR_H */ +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index e2d26ce9b854..4b8716d09ff9 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + + asmlinkage extern void ret_from_fork(void); + +@@ -427,6 +428,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV)) + __switch_to_xtra(prev_p, next_p, tss); + ++#ifdef CONFIG_XEN ++ /* ++ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and ++ * current_pt_regs()->flags may not match the current task's ++ * intended IOPL. We need to switch it manually. ++ */ ++ if (unlikely(xen_pv_domain() && ++ prev->iopl != next->iopl)) ++ xen_set_iopl_mask(next->iopl); ++#endif ++ + return prev_p; + } + +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index a7fab60bdeeb..ac1e7dafb32e 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -956,7 +956,7 @@ static void xen_load_sp0(struct tss_struct *tss, + xen_mc_issue(PARAVIRT_LAZY_CPU); + } + +-static void xen_set_iopl_mask(unsigned mask) ++void xen_set_iopl_mask(unsigned mask) + { + struct physdev_set_iopl set_iopl; + +diff --git a/crypto/gcm.c b/crypto/gcm.c +index 9cea4d0b6904..f0bd00b15f26 100644 +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req, + aead_request_set_tfm(subreq, ctx->child); + aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done, + req); ++ if (!enc) ++ aead_request_set_callback(subreq, req->base.flags, ++ req->base.complete, req->base.data); + aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv); + aead_request_set_assoc(subreq, assoc, assoclen); + +diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c +index 19ad8f0c83ef..897b6b9e53b1 100644 +--- a/drivers/block/paride/pd.c ++++ b/drivers/block/paride/pd.c +@@ -126,7 +126,7 @@ + */ + #include + +-static bool verbose = 0; ++static int verbose = 0; + static int major = PD_MAJOR; + static char *name = PD_NAME; + static int cluster = 64; +@@ -161,7 +161,7 @@ enum {D_PRT, D_PRO, D_UNI, D_MOD, D_GEO, D_SBY, D_DLY, D_SLV}; + static DEFINE_MUTEX(pd_mutex); + static DEFINE_SPINLOCK(pd_lock); + +-module_param(verbose, bool, 0); ++module_param(verbose, int, 0); + module_param(major, int, 0); + module_param(name, charp, 0); + module_param(cluster, int, 0); +diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c +index 2596042eb987..ada45058e04d 100644 +--- a/drivers/block/paride/pt.c ++++ b/drivers/block/paride/pt.c +@@ -117,7 +117,7 @@ + + */ + +-static bool verbose = 0; ++static int verbose = 0; + static int major = PT_MAJOR; + static char *name = PT_NAME; + static int disable = 0; +@@ -152,7 +152,7 @@ static int (*drives[4])[6] = {&drive0, &drive1, &drive2, &drive3}; + + #include + +-module_param(verbose, bool, 0); ++module_param(verbose, int, 0); + module_param(major, int, 0); + module_param(name, charp, 0); + module_param_array(drive0, int, NULL, 0); +diff --git a/drivers/bus/imx-weim.c b/drivers/bus/imx-weim.c +index 3ef58c8dbf11..78737f4fd894 100644 +--- a/drivers/bus/imx-weim.c ++++ b/drivers/bus/imx-weim.c +@@ -92,7 +92,7 @@ static int __init weim_parse_dt(struct platform_device *pdev, + struct device_node *child; + int ret; + +- for_each_child_of_node(pdev->dev.of_node, child) { ++ for_each_available_child_of_node(pdev->dev.of_node, child) { + if (!child->name) + continue; + +diff --git a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +index 5c93afb1841a..f10b4998937d 100644 +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -206,6 +206,9 @@ static int ccp_aes_cmac_export(struct ahash_request *req, void *out) + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); + struct ccp_aes_cmac_exp_ctx state; + ++ /* Don't let anything leak to 'out' */ ++ memset(&state, 0, sizeof(state)); ++ + state.null_msg = rctx->null_msg; + memcpy(state.iv, rctx->iv, sizeof(state.iv)); + state.buf_count = rctx->buf_count; +diff --git a/drivers/crypto/ccp/ccp-crypto-sha.c b/drivers/crypto/ccp/ccp-crypto-sha.c +index bdbb5865a50f..c5b393694dfe 100644 +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -262,6 +262,9 @@ static int ccp_sha_export(struct ahash_request *req, void *out) + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); + struct ccp_sha_exp_ctx state; + ++ /* Don't let anything leak to 'out' */ ++ memset(&state, 0, sizeof(state)); ++ + state.type = rctx->type; + state.msg_bits = rctx->msg_bits; + state.first = rctx->first; +diff --git a/drivers/edac/i7core_edac.c b/drivers/edac/i7core_edac.c +index d871275196f6..91abfbc1a0a5 100644 +--- a/drivers/edac/i7core_edac.c ++++ b/drivers/edac/i7core_edac.c +@@ -1878,7 +1878,7 @@ static int i7core_mce_check_error(struct notifier_block *nb, unsigned long val, + + i7_dev = get_i7core_dev(mce->socketid); + if (!i7_dev) +- return NOTIFY_BAD; ++ return NOTIFY_DONE; + + mci = i7_dev->mci; + pvt = mci->pvt_info; +diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c +index 3e623ab5e315..424c235407ba 100644 +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -1840,7 +1840,7 @@ static int sbridge_mce_check_error(struct notifier_block *nb, unsigned long val, + + mci = get_mci_for_node_id(mce->socketid); + if (!mci) +- return NOTIFY_BAD; ++ return NOTIFY_DONE; + pvt = mci->pvt_info; + + /* +diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c +index 4e2f46938bf0..e7566d4931c6 100644 +--- a/drivers/firmware/efi/vars.c ++++ b/drivers/firmware/efi/vars.c +@@ -202,29 +202,44 @@ static const struct variable_validate variable_validate[] = { + { NULL_GUID, "", NULL }, + }; + ++/* ++ * Check if @var_name matches the pattern given in @match_name. ++ * ++ * @var_name: an array of @len non-NUL characters. ++ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A ++ * final "*" character matches any trailing characters @var_name, ++ * including the case when there are none left in @var_name. ++ * @match: on output, the number of non-wildcard characters in @match_name ++ * that @var_name matches, regardless of the return value. ++ * @return: whether @var_name fully matches @match_name. ++ */ + static bool + variable_matches(const char *var_name, size_t len, const char *match_name, + int *match) + { + for (*match = 0; ; (*match)++) { + char c = match_name[*match]; +- char u = var_name[*match]; + +- /* Wildcard in the matching name means we've matched */ +- if (c == '*') ++ switch (c) { ++ case '*': ++ /* Wildcard in @match_name means we've matched. */ + return true; + +- /* Case sensitive match */ +- if (!c && *match == len) +- return true; ++ case '\0': ++ /* @match_name has ended. Has @var_name too? */ ++ return (*match == len); + +- if (c != u) ++ default: ++ /* ++ * We've reached a non-wildcard char in @match_name. ++ * Continue only if there's an identical character in ++ * @var_name. ++ */ ++ if (*match < len && c == var_name[*match]) ++ continue; + return false; +- +- if (!c) +- return true; ++ } + } +- return true; + } + + bool +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 11f401ac6bdc..d2fdee27acec 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -295,10 +295,15 @@ static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, + + qxl_bo_kunmap(user_bo); + ++ qcrtc->cur_x += qcrtc->hot_spot_x - hot_x; ++ qcrtc->cur_y += qcrtc->hot_spot_y - hot_y; ++ qcrtc->hot_spot_x = hot_x; ++ qcrtc->hot_spot_y = hot_y; ++ + cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); + cmd->type = QXL_CURSOR_SET; +- cmd->u.set.position.x = qcrtc->cur_x; +- cmd->u.set.position.y = qcrtc->cur_y; ++ cmd->u.set.position.x = qcrtc->cur_x + qcrtc->hot_spot_x; ++ cmd->u.set.position.y = qcrtc->cur_y + qcrtc->hot_spot_y; + + cmd->u.set.shape = qxl_bo_physical_address(qdev, cursor_bo, 0); + +@@ -361,8 +366,8 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, + + cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); + cmd->type = QXL_CURSOR_MOVE; +- cmd->u.position.x = qcrtc->cur_x; +- cmd->u.position.y = qcrtc->cur_y; ++ cmd->u.position.x = qcrtc->cur_x + qcrtc->hot_spot_x; ++ cmd->u.position.y = qcrtc->cur_y + qcrtc->hot_spot_y; + qxl_release_unmap(qdev, release, &cmd->release_info); + + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 8aa077ca8244..d5ebf3e33f8e 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -139,6 +139,8 @@ struct qxl_crtc { + int index; + int cur_x; + int cur_y; ++ int hot_spot_x; ++ int hot_spot_y; + }; + + struct qxl_output { +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 077bb1bdac34..e3b734186375 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -689,6 +690,39 @@ static void vmbus_flow_handler(unsigned int irq, struct irq_desc *desc) + desc->action->handler(irq, desc->action->dev_id); + } + ++#ifdef CONFIG_HOTPLUG_CPU ++static int hyperv_cpu_disable(void) ++{ ++ return -ENOSYS; ++} ++ ++static void hv_cpu_hotplug_quirk(bool vmbus_loaded) ++{ ++ static void *previous_cpu_disable; ++ ++ /* ++ * Offlining a CPU when running on newer hypervisors (WS2012R2, Win8, ++ * ...) is not supported at this moment as channel interrupts are ++ * distributed across all of them. ++ */ ++ ++ if ((vmbus_proto_version == VERSION_WS2008) || ++ (vmbus_proto_version == VERSION_WIN7)) ++ return; ++ ++ if (vmbus_loaded) { ++ previous_cpu_disable = smp_ops.cpu_disable; ++ smp_ops.cpu_disable = hyperv_cpu_disable; ++ pr_notice("CPU offlining is not supported by hypervisor\n"); ++ } else if (previous_cpu_disable) ++ smp_ops.cpu_disable = previous_cpu_disable; ++} ++#else ++static void hv_cpu_hotplug_quirk(bool vmbus_loaded) ++{ ++} ++#endif ++ + /* + * vmbus_bus_init -Main vmbus driver initialization routine. + * +@@ -747,6 +781,7 @@ static int vmbus_bus_init(int irq) + if (ret) + goto err_alloc; + ++ hv_cpu_hotplug_quirk(true); + vmbus_request_offers(); + + return 0; +@@ -984,6 +1019,7 @@ static void __exit vmbus_exit(void) + bus_unregister(&hv_bus); + hv_cleanup(); + acpi_bus_unregister_driver(&vmbus_acpi_driver); ++ hv_cpu_hotplug_quirk(false); + } + + +diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c +index f3b89a4698b6..a866fc1a09f4 100644 +--- a/drivers/i2c/busses/i2c-cpm.c ++++ b/drivers/i2c/busses/i2c-cpm.c +@@ -120,8 +120,8 @@ struct cpm_i2c { + cbd_t __iomem *rbase; + u_char *txbuf[CPM_MAXBD]; + u_char *rxbuf[CPM_MAXBD]; +- u32 txdma[CPM_MAXBD]; +- u32 rxdma[CPM_MAXBD]; ++ dma_addr_t txdma[CPM_MAXBD]; ++ dma_addr_t rxdma[CPM_MAXBD]; + }; + + static irqreturn_t cpm_i2c_interrupt(int irq, void *dev_id) +diff --git a/drivers/i2c/busses/i2c-exynos5.c b/drivers/i2c/busses/i2c-exynos5.c +index 9fd711c03dd2..78dfba3cf442 100644 +--- a/drivers/i2c/busses/i2c-exynos5.c ++++ b/drivers/i2c/busses/i2c-exynos5.c +@@ -574,7 +574,9 @@ static int exynos5_i2c_xfer(struct i2c_adapter *adap, + return -EIO; + } + +- clk_prepare_enable(i2c->clk); ++ ret = clk_enable(i2c->clk); ++ if (ret) ++ return ret; + + for (i = 0; i < num; i++, msgs++) { + stop = (i == num - 1); +@@ -598,7 +600,7 @@ static int exynos5_i2c_xfer(struct i2c_adapter *adap, + } + + out: +- clk_disable_unprepare(i2c->clk); ++ clk_disable(i2c->clk); + return ret; + } + +@@ -652,7 +654,9 @@ static int exynos5_i2c_probe(struct platform_device *pdev) + return -ENOENT; + } + +- clk_prepare_enable(i2c->clk); ++ ret = clk_prepare_enable(i2c->clk); ++ if (ret) ++ return ret; + + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + i2c->regs = devm_ioremap_resource(&pdev->dev, mem); +@@ -701,6 +705,10 @@ static int exynos5_i2c_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, i2c); + ++ clk_disable(i2c->clk); ++ ++ return 0; ++ + err_clk: + clk_disable_unprepare(i2c->clk); + return ret; +@@ -712,6 +720,8 @@ static int exynos5_i2c_remove(struct platform_device *pdev) + + i2c_del_adapter(&i2c->adap); + ++ clk_unprepare(i2c->clk); ++ + return 0; + } + +@@ -722,6 +732,8 @@ static int exynos5_i2c_suspend_noirq(struct device *dev) + + i2c->suspended = 1; + ++ clk_unprepare(i2c->clk); ++ + return 0; + } + +@@ -731,7 +743,9 @@ static int exynos5_i2c_resume_noirq(struct device *dev) + struct exynos5_i2c *i2c = platform_get_drvdata(pdev); + int ret = 0; + +- clk_prepare_enable(i2c->clk); ++ ret = clk_prepare_enable(i2c->clk); ++ if (ret) ++ return ret; + + ret = exynos5_hsi2c_clock_setup(i2c); + if (ret) { +@@ -740,7 +754,7 @@ static int exynos5_i2c_resume_noirq(struct device *dev) + } + + exynos5_i2c_init(i2c); +- clk_disable_unprepare(i2c->clk); ++ clk_disable(i2c->clk); + i2c->suspended = 0; + + return 0; +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index caecffe8caff..b12aedcdd89b 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -868,6 +868,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -889,7 +897,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; +diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig +index 6cb388e8fb7d..958e0e776683 100644 +--- a/drivers/misc/Kconfig ++++ b/drivers/misc/Kconfig +@@ -438,7 +438,7 @@ config ARM_CHARLCD + still useful. + + config BMP085 +- bool ++ tristate + depends on SYSFS + + config BMP085_I2C +diff --git a/drivers/misc/ad525x_dpot.c b/drivers/misc/ad525x_dpot.c +index d3eee113baeb..daae8e58447d 100644 +--- a/drivers/misc/ad525x_dpot.c ++++ b/drivers/misc/ad525x_dpot.c +@@ -216,7 +216,7 @@ static s32 dpot_read_i2c(struct dpot_data *dpot, u8 reg) + */ + value = swab16(value); + +- if (dpot->uid == DPOT_UID(AD5271_ID)) ++ if (dpot->uid == DPOT_UID(AD5274_ID)) + value = value >> 2; + return value; + default: +diff --git a/drivers/net/ethernet/jme.c b/drivers/net/ethernet/jme.c +index 2b20e2368fca..b6ecb3f06499 100644 +--- a/drivers/net/ethernet/jme.c ++++ b/drivers/net/ethernet/jme.c +@@ -270,11 +270,17 @@ jme_reset_mac_processor(struct jme_adapter *jme) + } + + static inline void +-jme_clear_pm(struct jme_adapter *jme) ++jme_clear_pm_enable_wol(struct jme_adapter *jme) + { + jwrite32(jme, JME_PMCS, PMCS_STMASK | jme->reg_pmcs); + } + ++static inline void ++jme_clear_pm_disable_wol(struct jme_adapter *jme) ++{ ++ jwrite32(jme, JME_PMCS, PMCS_STMASK); ++} ++ + static int + jme_reload_eeprom(struct jme_adapter *jme) + { +@@ -1857,7 +1863,7 @@ jme_open(struct net_device *netdev) + struct jme_adapter *jme = netdev_priv(netdev); + int rc; + +- jme_clear_pm(jme); ++ jme_clear_pm_disable_wol(jme); + JME_NAPI_ENABLE(jme); + + tasklet_init(&jme->linkch_task, jme_link_change_tasklet, +@@ -1929,11 +1935,11 @@ jme_wait_link(struct jme_adapter *jme) + static void + jme_powersave_phy(struct jme_adapter *jme) + { +- if (jme->reg_pmcs) { ++ if (jme->reg_pmcs && device_may_wakeup(&jme->pdev->dev)) { + jme_set_100m_half(jme); + if (jme->reg_pmcs & (PMCS_LFEN | PMCS_LREN)) + jme_wait_link(jme); +- jme_clear_pm(jme); ++ jme_clear_pm_enable_wol(jme); + } else { + jme_phy_off(jme); + } +@@ -2621,9 +2627,6 @@ jme_set_wol(struct net_device *netdev, + if (wol->wolopts & WAKE_MAGIC) + jme->reg_pmcs |= PMCS_MFEN; + +- jwrite32(jme, JME_PMCS, jme->reg_pmcs); +- device_set_wakeup_enable(&jme->pdev->dev, !!(jme->reg_pmcs)); +- + return 0; + } + +@@ -3147,8 +3150,8 @@ jme_init_one(struct pci_dev *pdev, + jme->mii_if.mdio_read = jme_mdio_read; + jme->mii_if.mdio_write = jme_mdio_write; + +- jme_clear_pm(jme); +- device_set_wakeup_enable(&pdev->dev, true); ++ jme_clear_pm_disable_wol(jme); ++ device_init_wakeup(&pdev->dev, true); + + jme_set_phyfifo_5level(jme); + jme->pcirev = pdev->revision; +@@ -3279,7 +3282,7 @@ jme_resume(struct device *dev) + if (!netif_running(netdev)) + return 0; + +- jme_clear_pm(jme); ++ jme_clear_pm_disable_wol(jme); + jme_phy_on(jme); + if (test_bit(JME_FLAG_SSET, &jme->flags)) + jme_set_settings(netdev, &jme->old_ecmd); +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index de6459628b4f..fa2dcbcdb921 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1313,9 +1313,9 @@ static int pcs_parse_bits_in_pinctrl_entry(struct pcs_device *pcs, + + /* Parse pins in each row from LSB */ + while (mask) { +- bit_pos = ffs(mask); ++ bit_pos = __ffs(mask); + pin_num_from_lsb = bit_pos / pcs->bits_per_pin; +- mask_pos = ((pcs->fmask) << (bit_pos - 1)); ++ mask_pos = ((pcs->fmask) << bit_pos); + val_pos = val & mask_pos; + submask = mask & mask_pos; + +@@ -1892,7 +1892,7 @@ static int pcs_probe(struct platform_device *pdev) + ret = of_property_read_u32(np, "pinctrl-single,function-mask", + &pcs->fmask); + if (!ret) { +- pcs->fshift = ffs(pcs->fmask) - 1; ++ pcs->fshift = __ffs(pcs->fmask); + pcs->fmax = pcs->fmask >> pcs->fshift; + } else { + /* If mask property doesn't exist, function mux is invalid. */ +diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c +index e5f13c4310fe..ea99fffd5556 100644 +--- a/drivers/rtc/rtc-hym8563.c ++++ b/drivers/rtc/rtc-hym8563.c +@@ -144,7 +144,7 @@ static int hym8563_rtc_set_time(struct device *dev, struct rtc_time *tm) + * it does not seem to carry it over a subsequent write/read. + * So we'll limit ourself to 100 years, starting at 2000 for now. + */ +- buf[6] = tm->tm_year - 100; ++ buf[6] = bin2bcd(tm->tm_year - 100); + + /* + * CTL1 only contains TEST-mode bits apart from stop, +diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c +index 88c9c92e89fd..4b0966ed5394 100644 +--- a/drivers/rtc/rtc-vr41xx.c ++++ b/drivers/rtc/rtc-vr41xx.c +@@ -272,12 +272,13 @@ static irqreturn_t rtclong1_interrupt(int irq, void *dev_id) + } + + static const struct rtc_class_ops vr41xx_rtc_ops = { +- .release = vr41xx_rtc_release, +- .ioctl = vr41xx_rtc_ioctl, +- .read_time = vr41xx_rtc_read_time, +- .set_time = vr41xx_rtc_set_time, +- .read_alarm = vr41xx_rtc_read_alarm, +- .set_alarm = vr41xx_rtc_set_alarm, ++ .release = vr41xx_rtc_release, ++ .ioctl = vr41xx_rtc_ioctl, ++ .read_time = vr41xx_rtc_read_time, ++ .set_time = vr41xx_rtc_set_time, ++ .read_alarm = vr41xx_rtc_read_alarm, ++ .set_alarm = vr41xx_rtc_set_alarm, ++ .alarm_irq_enable = vr41xx_rtc_alarm_irq_enable, + }; + + static int rtc_probe(struct platform_device *pdev) +diff --git a/drivers/staging/usbip/usbip_common.c b/drivers/staging/usbip/usbip_common.c +index 96552e3a1bfb..b2c9359d9cee 100644 +--- a/drivers/staging/usbip/usbip_common.c ++++ b/drivers/staging/usbip/usbip_common.c +@@ -785,6 +785,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index be33d2b0613b..0eabbac2500d 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -38,7 +38,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -118,8 +117,6 @@ struct sci_port { + struct timer_list rx_timer; + unsigned int rx_timeout; + #endif +- +- struct notifier_block freq_transition; + }; + + /* Function prototypes */ +@@ -1029,30 +1026,6 @@ static irqreturn_t sci_mpxed_interrupt(int irq, void *ptr) + return ret; + } + +-/* +- * Here we define a transition notifier so that we can update all of our +- * ports' baud rate when the peripheral clock changes. +- */ +-static int sci_notifier(struct notifier_block *self, +- unsigned long phase, void *p) +-{ +- struct sci_port *sci_port; +- unsigned long flags; +- +- sci_port = container_of(self, struct sci_port, freq_transition); +- +- if ((phase == CPUFREQ_POSTCHANGE) || +- (phase == CPUFREQ_RESUMECHANGE)) { +- struct uart_port *port = &sci_port->port; +- +- spin_lock_irqsave(&port->lock, flags); +- port->uartclk = clk_get_rate(sci_port->iclk); +- spin_unlock_irqrestore(&port->lock, flags); +- } +- +- return NOTIFY_OK; +-} +- + static struct sci_irq_desc { + const char *desc; + irq_handler_t handler; +@@ -2406,9 +2379,6 @@ static int sci_remove(struct platform_device *dev) + { + struct sci_port *port = platform_get_drvdata(dev); + +- cpufreq_unregister_notifier(&port->freq_transition, +- CPUFREQ_TRANSITION_NOTIFIER); +- + uart_remove_one_port(&sci_uart_driver, &port->port); + + sci_cleanup_single(port); +@@ -2559,15 +2529,6 @@ static int sci_probe(struct platform_device *dev) + if (ret) + return ret; + +- sp->freq_transition.notifier_call = sci_notifier; +- +- ret = cpufreq_register_notifier(&sp->freq_transition, +- CPUFREQ_TRANSITION_NOTIFIER); +- if (unlikely(ret < 0)) { +- sci_cleanup_single(sp); +- return ret; +- } +- + #ifdef CONFIG_SH_STANDARD_BIOS + sh_bios_gdb_detach(); + #endif +diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c +index 1f02e65fe305..ccdcc7063eee 100644 +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -74,6 +74,15 @@ static void for_each_companion(struct pci_dev *pdev, struct usb_hcd *hcd, + if (companion->bus != pdev->bus || + PCI_SLOT(companion->devfn) != slot) + continue; ++ ++ /* ++ * Companion device should be either UHCI,OHCI or EHCI host ++ * controller, otherwise skip. ++ */ ++ if (companion->class != CL_UHCI && companion->class != CL_OHCI && ++ companion->class != CL_EHCI) ++ continue; ++ + companion_hcd = pci_get_drvdata(companion); + if (!companion_hcd || !companion_hcd->self.root_hub) + continue; +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 86bfaf904ab5..b39d217310fe 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1785,6 +1785,12 @@ no_bw: + kfree(xhci->rh_bw); + kfree(xhci->ext_caps); + ++ xhci->usb2_ports = NULL; ++ xhci->usb3_ports = NULL; ++ xhci->port_array = NULL; ++ xhci->rh_bw = NULL; ++ xhci->ext_caps = NULL; ++ + xhci->page_size = 0; + xhci->page_shift = 0; + xhci->bus_state[0].bus_suspended = 0; +diff --git a/drivers/video/da8xx-fb.c b/drivers/video/da8xx-fb.c +index a1d74dd11988..d06600a594c3 100644 +--- a/drivers/video/da8xx-fb.c ++++ b/drivers/video/da8xx-fb.c +@@ -209,8 +209,7 @@ static struct fb_videomode known_lcd_panels[] = { + .lower_margin = 2, + .hsync_len = 0, + .vsync_len = 0, +- .sync = FB_SYNC_CLK_INVERT | +- FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ .sync = FB_SYNC_CLK_INVERT, + }, + /* Sharp LK043T1DG01 */ + [1] = { +@@ -224,7 +223,7 @@ static struct fb_videomode known_lcd_panels[] = { + .lower_margin = 2, + .hsync_len = 41, + .vsync_len = 10, +- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ .sync = 0, + .flag = 0, + }, + [2] = { +@@ -239,7 +238,7 @@ static struct fb_videomode known_lcd_panels[] = { + .lower_margin = 10, + .hsync_len = 10, + .vsync_len = 10, +- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ .sync = 0, + .flag = 0, + }, + }; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index f9c63ae7276a..58001fcff037 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4972,6 +4972,8 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) + might_sleep(); + trace_ext4_mark_inode_dirty(inode, _RET_IP_); + err = ext4_reserve_inode_write(handle, inode, &iloc); ++ if (err) ++ return err; + if (ext4_handle_valid(handle) && + EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize && + !ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) { +@@ -5002,9 +5004,7 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) + } + } + } +- if (!err) +- err = ext4_mark_iloc_dirty(handle, inode, &iloc); +- return err; ++ return ext4_mark_iloc_dirty(handle, inode, &iloc); + } + + /* +diff --git a/include/linux/poison.h b/include/linux/poison.h +index 2110a81c5e2a..253c9b4198ef 100644 +--- a/include/linux/poison.h ++++ b/include/linux/poison.h +@@ -19,8 +19,8 @@ + * under normal circumstances, used to verify that nobody uses + * non-initialized list entries. + */ +-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA) +-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA) ++#define LIST_POISON1 ((void *) 0x100 + POISON_POINTER_DELTA) ++#define LIST_POISON2 ((void *) 0x200 + POISON_POINTER_DELTA) + + /********** include/linux/timer.h **********/ + /* +diff --git a/kernel/futex.c b/kernel/futex.c +index b125c385a257..9fd1a30ab5bb 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1378,8 +1378,8 @@ void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1, + if (likely(&hb1->chain != &hb2->chain)) { + plist_del(&q->list, &hb1->chain); + hb_waiters_dec(hb1); +- plist_add(&q->list, &hb2->chain); + hb_waiters_inc(hb2); ++ plist_add(&q->list, &hb2->chain); + q->lock_ptr = &hb2->lock; + } + get_futex_key_refs(key2); +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 423c9e37a9e7..0f73a448b162 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -629,6 +629,35 @@ static void set_work_pool_and_clear_pending(struct work_struct *work, + */ + smp_wmb(); + set_work_data(work, (unsigned long)pool_id << WORK_OFFQ_POOL_SHIFT, 0); ++ /* ++ * The following mb guarantees that previous clear of a PENDING bit ++ * will not be reordered with any speculative LOADS or STORES from ++ * work->current_func, which is executed afterwards. This possible ++ * reordering can lead to a missed execution on attempt to qeueue ++ * the same @work. E.g. consider this case: ++ * ++ * CPU#0 CPU#1 ++ * ---------------------------- -------------------------------- ++ * ++ * 1 STORE event_indicated ++ * 2 queue_work_on() { ++ * 3 test_and_set_bit(PENDING) ++ * 4 } set_..._and_clear_pending() { ++ * 5 set_work_data() # clear bit ++ * 6 smp_mb() ++ * 7 work->current_func() { ++ * 8 LOAD event_indicated ++ * } ++ * ++ * Without an explicit full barrier speculative LOAD on line 8 can ++ * be executed before CPU#0 does STORE on line 1. If that happens, ++ * CPU#0 observes the PENDING bit is still set and new execution of ++ * a @work is not queued in a hope, that CPU#1 will eventually ++ * finish the queued @work. Meanwhile CPU#1 does not see ++ * event_indicated is set, because speculative LOAD was executed ++ * before actual STORE. ++ */ ++ smp_mb(); + } + + static void clear_work_data(struct work_struct *work) +diff --git a/lib/assoc_array.c b/lib/assoc_array.c +index 2404d03e251a..03a77f4740c1 100644 +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -523,7 +523,9 @@ static bool assoc_array_insert_into_terminal_node(struct assoc_array_edit *edit, + free_slot = i; + continue; + } +- if (ops->compare_object(assoc_array_ptr_to_leaf(ptr), index_key)) { ++ if (assoc_array_ptr_is_leaf(ptr) && ++ ops->compare_object(assoc_array_ptr_to_leaf(ptr), ++ index_key)) { + pr_devel("replace in slot %d\n", i); + edit->leaf_p = &node->slots[i]; + edit->dead_leaf = node->slots[i]; +diff --git a/lib/lz4/lz4defs.h b/lib/lz4/lz4defs.h +index abcecdc2d0f2..0710a62ad2f6 100644 +--- a/lib/lz4/lz4defs.h ++++ b/lib/lz4/lz4defs.h +@@ -11,8 +11,7 @@ + /* + * Detects 64 bits mode + */ +-#if (defined(__x86_64__) || defined(__x86_64) || defined(__amd64__) \ +- || defined(__ppc64__) || defined(__LP64__)) ++#if defined(CONFIG_64BIT) + #define LZ4_ARCH64 1 + #else + #define LZ4_ARCH64 0 +@@ -35,6 +34,10 @@ typedef struct _U64_S { u64 v; } U64_S; + + #define PUT4(s, d) (A32(d) = A32(s)) + #define PUT8(s, d) (A64(d) = A64(s)) ++ ++#define LZ4_READ_LITTLEENDIAN_16(d, s, p) \ ++ (d = s - A16(p)) ++ + #define LZ4_WRITE_LITTLEENDIAN_16(p, v) \ + do { \ + A16(p) = v; \ +@@ -51,10 +54,13 @@ typedef struct _U64_S { u64 v; } U64_S; + #define PUT8(s, d) \ + put_unaligned(get_unaligned((const u64 *) s), (u64 *) d) + +-#define LZ4_WRITE_LITTLEENDIAN_16(p, v) \ +- do { \ +- put_unaligned(v, (u16 *)(p)); \ +- p += 2; \ ++#define LZ4_READ_LITTLEENDIAN_16(d, s, p) \ ++ (d = s - get_unaligned_le16(p)) ++ ++#define LZ4_WRITE_LITTLEENDIAN_16(p, v) \ ++ do { \ ++ put_unaligned_le16(v, (u16 *)(p)); \ ++ p += 2; \ + } while (0) + #endif + +@@ -140,9 +146,6 @@ typedef struct _U64_S { u64 v; } U64_S; + + #endif + +-#define LZ4_READ_LITTLEENDIAN_16(d, s, p) \ +- (d = s - get_unaligned_le16(p)) +- + #define LZ4_WILDCOPY(s, d, e) \ + do { \ + LZ4_COPYPACKET(s, d); \ +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 07edbcd8697e..311daab4161d 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1187,14 +1187,14 @@ int sunrpc_cache_pipe_upcall(struct cache_detail *detail, struct cache_head *h) + } + + crq->q.reader = 0; +- crq->item = cache_get(h); + crq->buf = buf; + crq->len = 0; + crq->readers = 0; + spin_lock(&queue_lock); +- if (test_bit(CACHE_PENDING, &h->flags)) ++ if (test_bit(CACHE_PENDING, &h->flags)) { ++ crq->item = cache_get(h); + list_add_tail(&crq->q.list, &detail->queue); +- else ++ } else + /* Lost a race, no longer PENDING, so don't enqueue */ + ret = -EAGAIN; + spin_unlock(&queue_lock); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index c260243dbe07..7bf5f463566b 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11522,7 +11522,7 @@ static int nl80211_netlink_notify(struct notifier_block * nb, + struct wireless_dev *wdev; + struct cfg80211_beacon_registration *reg, *tmp; + +- if (state != NETLINK_URELEASE) ++ if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC) + return NOTIFY_DONE; + + rcu_read_lock(); +diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c +index 5cb515b08a32..a14ae58377f5 100644 +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -359,7 +359,7 @@ static unsigned int bst_tlv[] = { + + /* Interface data select */ + static const char * const rt5640_data_select[] = { +- "Normal", "left copy to right", "right copy to left", "Swap"}; ++ "Normal", "Swap", "left copy to right", "right copy to left"}; + + static const SOC_ENUM_SINGLE_DECL(rt5640_if1_dac_enum, RT5640_DIG_INF_DATA, + RT5640_IF1_DAC_SEL_SFT, rt5640_data_select); +diff --git a/sound/soc/codecs/rt5640.h b/sound/soc/codecs/rt5640.h +index 5e8df25a13f3..02e3fe767df6 100644 +--- a/sound/soc/codecs/rt5640.h ++++ b/sound/soc/codecs/rt5640.h +@@ -435,39 +435,39 @@ + #define RT5640_IF1_DAC_SEL_MASK (0x3 << 14) + #define RT5640_IF1_DAC_SEL_SFT 14 + #define RT5640_IF1_DAC_SEL_NOR (0x0 << 14) +-#define RT5640_IF1_DAC_SEL_L2R (0x1 << 14) +-#define RT5640_IF1_DAC_SEL_R2L (0x2 << 14) +-#define RT5640_IF1_DAC_SEL_SWAP (0x3 << 14) ++#define RT5640_IF1_DAC_SEL_SWAP (0x1 << 14) ++#define RT5640_IF1_DAC_SEL_L2R (0x2 << 14) ++#define RT5640_IF1_DAC_SEL_R2L (0x3 << 14) + #define RT5640_IF1_ADC_SEL_MASK (0x3 << 12) + #define RT5640_IF1_ADC_SEL_SFT 12 + #define RT5640_IF1_ADC_SEL_NOR (0x0 << 12) +-#define RT5640_IF1_ADC_SEL_L2R (0x1 << 12) +-#define RT5640_IF1_ADC_SEL_R2L (0x2 << 12) +-#define RT5640_IF1_ADC_SEL_SWAP (0x3 << 12) ++#define RT5640_IF1_ADC_SEL_SWAP (0x1 << 12) ++#define RT5640_IF1_ADC_SEL_L2R (0x2 << 12) ++#define RT5640_IF1_ADC_SEL_R2L (0x3 << 12) + #define RT5640_IF2_DAC_SEL_MASK (0x3 << 10) + #define RT5640_IF2_DAC_SEL_SFT 10 + #define RT5640_IF2_DAC_SEL_NOR (0x0 << 10) +-#define RT5640_IF2_DAC_SEL_L2R (0x1 << 10) +-#define RT5640_IF2_DAC_SEL_R2L (0x2 << 10) +-#define RT5640_IF2_DAC_SEL_SWAP (0x3 << 10) ++#define RT5640_IF2_DAC_SEL_SWAP (0x1 << 10) ++#define RT5640_IF2_DAC_SEL_L2R (0x2 << 10) ++#define RT5640_IF2_DAC_SEL_R2L (0x3 << 10) + #define RT5640_IF2_ADC_SEL_MASK (0x3 << 8) + #define RT5640_IF2_ADC_SEL_SFT 8 + #define RT5640_IF2_ADC_SEL_NOR (0x0 << 8) +-#define RT5640_IF2_ADC_SEL_L2R (0x1 << 8) +-#define RT5640_IF2_ADC_SEL_R2L (0x2 << 8) +-#define RT5640_IF2_ADC_SEL_SWAP (0x3 << 8) ++#define RT5640_IF2_ADC_SEL_SWAP (0x1 << 8) ++#define RT5640_IF2_ADC_SEL_L2R (0x2 << 8) ++#define RT5640_IF2_ADC_SEL_R2L (0x3 << 8) + #define RT5640_IF3_DAC_SEL_MASK (0x3 << 6) + #define RT5640_IF3_DAC_SEL_SFT 6 + #define RT5640_IF3_DAC_SEL_NOR (0x0 << 6) +-#define RT5640_IF3_DAC_SEL_L2R (0x1 << 6) +-#define RT5640_IF3_DAC_SEL_R2L (0x2 << 6) +-#define RT5640_IF3_DAC_SEL_SWAP (0x3 << 6) ++#define RT5640_IF3_DAC_SEL_SWAP (0x1 << 6) ++#define RT5640_IF3_DAC_SEL_L2R (0x2 << 6) ++#define RT5640_IF3_DAC_SEL_R2L (0x3 << 6) + #define RT5640_IF3_ADC_SEL_MASK (0x3 << 4) + #define RT5640_IF3_ADC_SEL_SFT 4 + #define RT5640_IF3_ADC_SEL_NOR (0x0 << 4) +-#define RT5640_IF3_ADC_SEL_L2R (0x1 << 4) +-#define RT5640_IF3_ADC_SEL_R2L (0x2 << 4) +-#define RT5640_IF3_ADC_SEL_SWAP (0x3 << 4) ++#define RT5640_IF3_ADC_SEL_SWAP (0x1 << 4) ++#define RT5640_IF3_ADC_SEL_L2R (0x2 << 4) ++#define RT5640_IF3_ADC_SEL_R2L (0x3 << 4) + + /* REC Left Mixer Control 1 (0x3b) */ + #define RT5640_G_HP_L_RM_L_MASK (0x7 << 13) +diff --git a/sound/soc/samsung/s3c-i2s-v2.c b/sound/soc/samsung/s3c-i2s-v2.c +index 79e7efb9283c..e0d6936d17ea 100644 +--- a/sound/soc/samsung/s3c-i2s-v2.c ++++ b/sound/soc/samsung/s3c-i2s-v2.c +@@ -726,7 +726,7 @@ static int s3c2412_i2s_resume(struct snd_soc_dai *dai) + #endif + + int s3c_i2sv2_register_component(struct device *dev, int id, +- struct snd_soc_component_driver *cmp_drv, ++ const struct snd_soc_component_driver *cmp_drv, + struct snd_soc_dai_driver *dai_drv) + { + struct snd_soc_dai_ops *ops = dai_drv->ops; +diff --git a/sound/soc/samsung/s3c-i2s-v2.h b/sound/soc/samsung/s3c-i2s-v2.h +index 90abab364b49..d0684145ed1f 100644 +--- a/sound/soc/samsung/s3c-i2s-v2.h ++++ b/sound/soc/samsung/s3c-i2s-v2.h +@@ -101,7 +101,7 @@ extern int s3c_i2sv2_probe(struct snd_soc_dai *dai, + * soc core. + */ + extern int s3c_i2sv2_register_component(struct device *dev, int id, +- struct snd_soc_component_driver *cmp_drv, ++ const struct snd_soc_component_driver *cmp_drv, + struct snd_soc_dai_driver *dai_drv); + + #endif /* __SND_SOC_S3C24XX_S3C_I2SV2_I2S_H */ +diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt +index 29ee857c09c6..6f9fbb44cd19 100644 +--- a/tools/perf/Documentation/perf-stat.txt ++++ b/tools/perf/Documentation/perf-stat.txt +@@ -50,6 +50,14 @@ OPTIONS + --scale:: + scale/normalize counter values + ++-d:: ++--detailed:: ++ print more detailed statistics, can be specified up to 3 times ++ ++ -d: detailed events, L1 and LLC data cache ++ -d -d: more detailed events, dTLB and iTLB events ++ -d -d -d: very detailed events, adding prefetch events ++ + -r:: + --repeat=:: + repeat command and print average + stddev (max: 100). 0 means forever. diff --git a/patch/kernel/cubox-dev/patch-3.14.68-69.patch b/patch/kernel/cubox-dev/patch-3.14.68-69.patch new file mode 100644 index 000000000..f9ab337ab --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.68-69.patch @@ -0,0 +1,771 @@ +diff --git a/MAINTAINERS b/MAINTAINERS +index 900d98eec2fc..8efefbd1a853 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -3247,8 +3247,8 @@ F: Documentation/x86/efi-stub.txt + F: arch/ia64/kernel/efi.c + F: arch/x86/boot/compressed/eboot.[ch] + F: arch/x86/include/asm/efi.h +-F: arch/x86/platform/efi/* +-F: drivers/firmware/efi/* ++F: arch/x86/platform/efi/ ++F: drivers/firmware/efi/ + F: include/linux/efi*.h + + EFI VARIABLE FILESYSTEM +diff --git a/Makefile b/Makefile +index 5ec8a7dda8ba..c6762fdfc967 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 68 ++SUBLEVEL = 69 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/mach-socfpga/headsmp.S b/arch/arm/mach-socfpga/headsmp.S +index 95c115d8b5ee..b143f946bb79 100644 +--- a/arch/arm/mach-socfpga/headsmp.S ++++ b/arch/arm/mach-socfpga/headsmp.S +@@ -11,6 +11,7 @@ + #include + + .arch armv7-a ++ .arm + + ENTRY(secondary_trampoline) + movw r2, #:lower16:cpu1start_addr +diff --git a/arch/powerpc/include/uapi/asm/cputable.h b/arch/powerpc/include/uapi/asm/cputable.h +index de2c0e4ee1aa..67de80a8e178 100644 +--- a/arch/powerpc/include/uapi/asm/cputable.h ++++ b/arch/powerpc/include/uapi/asm/cputable.h +@@ -31,6 +31,7 @@ + #define PPC_FEATURE_PSERIES_PERFMON_COMPAT \ + 0x00000040 + ++/* Reserved - do not use 0x00000004 */ + #define PPC_FEATURE_TRUE_LE 0x00000002 + #define PPC_FEATURE_PPC_LE 0x00000001 + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index f58c0d3aaeb4..3f70874faf24 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -159,7 +159,7 @@ static struct ibm_pa_feature { + {CPU_FTR_NOEXECUTE, 0, 0, 0, 6, 0}, + {CPU_FTR_NODSISRALIGN, 0, 0, 1, 1, 1}, + {0, MMU_FTR_CI_LARGE_PAGE, 0, 1, 2, 0}, +- {CPU_FTR_REAL_LE, PPC_FEATURE_TRUE_LE, 5, 0, 0}, ++ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 5, 0, 0}, + }; + + static void __init scan_features(unsigned long node, unsigned char *ftrs, +diff --git a/arch/x86/kernel/sysfb_efi.c b/arch/x86/kernel/sysfb_efi.c +index b285d4e8c68e..5da924bbf0a0 100644 +--- a/arch/x86/kernel/sysfb_efi.c ++++ b/arch/x86/kernel/sysfb_efi.c +@@ -106,14 +106,24 @@ static int __init efifb_set_system(const struct dmi_system_id *id) + continue; + for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) { + resource_size_t start, end; ++ unsigned long flags; ++ ++ flags = pci_resource_flags(dev, i); ++ if (!(flags & IORESOURCE_MEM)) ++ continue; ++ ++ if (flags & IORESOURCE_UNSET) ++ continue; ++ ++ if (pci_resource_len(dev, i) == 0) ++ continue; + + start = pci_resource_start(dev, i); +- if (start == 0) +- break; + end = pci_resource_end(dev, i); + if (screen_info.lfb_base >= start && + screen_info.lfb_base < end) { + found_bar = 1; ++ break; + } + } + } +diff --git a/arch/x86/kernel/tsc_msr.c b/arch/x86/kernel/tsc_msr.c +index 92ae6acac8a7..6aa0f4d9eea6 100644 +--- a/arch/x86/kernel/tsc_msr.c ++++ b/arch/x86/kernel/tsc_msr.c +@@ -92,7 +92,7 @@ unsigned long try_msr_calibrate_tsc(void) + + if (freq_desc_tables[cpu_index].msr_plat) { + rdmsr(MSR_PLATFORM_INFO, lo, hi); +- ratio = (lo >> 8) & 0x1f; ++ ratio = (lo >> 8) & 0xff; + } else { + rdmsr(MSR_IA32_PERF_STATUS, lo, hi); + ratio = (hi >> 8) & 0x1f; +diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c +index 81a78ba84311..465872560ba2 100644 +--- a/drivers/acpi/acpica/dsmethod.c ++++ b/drivers/acpi/acpica/dsmethod.c +@@ -267,6 +267,9 @@ acpi_ds_begin_method_execution(struct acpi_namespace_node *method_node, + obj_desc->method.mutex->mutex. + original_sync_level = + obj_desc->method.mutex->mutex.sync_level; ++ ++ obj_desc->method.mutex->mutex.thread_id = ++ acpi_os_get_thread_id(); + } + } + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index d18093681af2..200c4e2c716e 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -581,8 +581,8 @@ static void do_nbd_request(struct request_queue *q) + BUG_ON(nbd->magic != NBD_MAGIC); + + if (unlikely(!nbd->sock)) { +- dev_err(disk_to_dev(nbd->disk), +- "Attempted send on closed socket\n"); ++ dev_err_ratelimited(disk_to_dev(nbd->disk), ++ "Attempted send on closed socket\n"); + req->errors++; + nbd_end_request(req); + spin_lock_irq(q->queue_lock); +diff --git a/drivers/clk/versatile/clk-sp810.c b/drivers/clk/versatile/clk-sp810.c +index 5122ef25f595..e63c3ef9b5ec 100644 +--- a/drivers/clk/versatile/clk-sp810.c ++++ b/drivers/clk/versatile/clk-sp810.c +@@ -141,6 +141,7 @@ void __init clk_sp810_of_setup(struct device_node *node) + const char *parent_names[2]; + char name[12]; + struct clk_init_data init; ++ static int instance; + int i; + + if (!sp810) { +@@ -172,7 +173,7 @@ void __init clk_sp810_of_setup(struct device_node *node) + init.num_parents = ARRAY_SIZE(parent_names); + + for (i = 0; i < ARRAY_SIZE(sp810->timerclken); i++) { +- snprintf(name, ARRAY_SIZE(name), "timerclken%d", i); ++ snprintf(name, sizeof(name), "sp810_%d_%d", instance, i); + + sp810->timerclken[i].sp810 = sp810; + sp810->timerclken[i].channel = i; +@@ -184,5 +185,6 @@ void __init clk_sp810_of_setup(struct device_node *node) + } + + of_clk_add_provider(node, clk_sp810_timerclken_of_get, sp810); ++ instance++; + } + CLK_OF_DECLARE(sp810, "arm,sp810", clk_sp810_of_setup); +diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c +index 053117c02bbc..afcf3491f579 100644 +--- a/drivers/iio/magnetometer/ak8975.c ++++ b/drivers/iio/magnetometer/ak8975.c +@@ -151,6 +151,8 @@ static int ak8975_setup_irq(struct ak8975_data *data) + int rc; + int irq; + ++ init_waitqueue_head(&data->data_ready_queue); ++ clear_bit(0, &data->flags); + if (client->irq) + irq = client->irq; + else +@@ -166,8 +168,6 @@ static int ak8975_setup_irq(struct ak8975_data *data) + return rc; + } + +- init_waitqueue_head(&data->data_ready_queue); +- clear_bit(0, &data->flags); + data->eoc_irq = irq; + + return rc; +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index 45a06e495ed2..3512a686873d 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -668,18 +668,22 @@ static int ads7846_no_filter(void *ads, int data_idx, int *val) + + static int ads7846_get_value(struct ads7846 *ts, struct spi_message *m) + { ++ int value; + struct spi_transfer *t = + list_entry(m->transfers.prev, struct spi_transfer, transfer_list); + + if (ts->model == 7845) { +- return be16_to_cpup((__be16 *)&(((char*)t->rx_buf)[1])) >> 3; ++ value = be16_to_cpup((__be16 *)&(((char *)t->rx_buf)[1])); + } else { + /* + * adjust: on-wire is a must-ignore bit, a BE12 value, then + * padding; built from two 8 bit values written msb-first. + */ +- return be16_to_cpup((__be16 *)t->rx_buf) >> 3; ++ value = be16_to_cpup((__be16 *)t->rx_buf); + } ++ ++ /* enforce ADC output is 12 bits width */ ++ return (value >> 3) & 0xfff; + } + + static void ads7846_update_value(struct spi_message *m, int val) +diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c +index 2175f3419002..dd5cc262bb50 100644 +--- a/drivers/input/touchscreen/zforce_ts.c ++++ b/drivers/input/touchscreen/zforce_ts.c +@@ -350,8 +350,8 @@ static int zforce_touch_event(struct zforce_ts *ts, u8 *payload) + point.coord_x = point.coord_y = 0; + } + +- point.state = payload[9 * i + 5] & 0x03; +- point.id = (payload[9 * i + 5] & 0xfc) >> 2; ++ point.state = payload[9 * i + 5] & 0x0f; ++ point.id = (payload[9 * i + 5] & 0xf0) >> 4; + + /* determine touch major, minor and orientation */ + point.area_major = max(payload[9 * i + 6], +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 68c94cc85c35..39dc1d43eec1 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -2697,7 +2697,7 @@ lpfc_online(struct lpfc_hba *phba) + } + + vports = lpfc_create_vport_work_array(phba); +- if (vports != NULL) ++ if (vports != NULL) { + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) { + struct Scsi_Host *shost; + shost = lpfc_shost_from_vport(vports[i]); +@@ -2714,7 +2714,8 @@ lpfc_online(struct lpfc_hba *phba) + } + spin_unlock_irq(shost->host_lock); + } +- lpfc_destroy_vport_work_array(phba, vports); ++ } ++ lpfc_destroy_vport_work_array(phba, vports); + + lpfc_unblock_mgmt_io(phba); + return 0; +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index b689a2fd960c..16f1b199d46b 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -108,6 +108,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ + { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ ++ { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */ + { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */ + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ + { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */ +@@ -117,6 +118,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */ + { USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */ + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ ++ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ +@@ -140,6 +142,8 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0xF004) }, /* Elan Digital Systems USBcount50 */ + { USB_DEVICE(0x10C5, 0xEA61) }, /* Silicon Labs MobiData GPRS USB Modem */ + { USB_DEVICE(0x10CE, 0xEA6A) }, /* Silicon Labs MobiData GPRS USB Modem 100EU */ ++ { USB_DEVICE(0x12B8, 0xEC60) }, /* Link G4 ECU */ ++ { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ + { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ + { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ + { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ +diff --git a/fs/proc/base.c b/fs/proc/base.c +index be78847782c4..842ba1e59706 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -844,7 +844,8 @@ static ssize_t environ_read(struct file *file, char __user *buf, + int ret = 0; + struct mm_struct *mm = file->private_data; + +- if (!mm) ++ /* Ensure the process spawned far enough to have an environment. */ ++ if (!mm || !mm->env_end) + return 0; + + page = (char *)__get_free_page(GFP_TEMPORARY); +diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h +index 02ae99e8e6d3..633716ef19b0 100644 +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -100,10 +100,122 @@ + #define __maybe_unused __attribute__((unused)) + #define __always_unused __attribute__((unused)) + +-#define __gcc_header(x) #x +-#define _gcc_header(x) __gcc_header(linux/compiler-gcc##x.h) +-#define gcc_header(x) _gcc_header(x) +-#include gcc_header(__GNUC__) ++/* gcc version specific checks */ ++ ++#if GCC_VERSION < 30200 ++# error Sorry, your compiler is too old - please upgrade it. ++#endif ++ ++#if GCC_VERSION < 30300 ++# define __used __attribute__((__unused__)) ++#else ++# define __used __attribute__((__used__)) ++#endif ++ ++#ifdef CONFIG_GCOV_KERNEL ++# if GCC_VERSION < 30400 ++# error "GCOV profiling support for gcc versions below 3.4 not included" ++# endif /* __GNUC_MINOR__ */ ++#endif /* CONFIG_GCOV_KERNEL */ ++ ++#if GCC_VERSION >= 30400 ++#define __must_check __attribute__((warn_unused_result)) ++#endif ++ ++#if GCC_VERSION >= 40000 ++ ++/* GCC 4.1.[01] miscompiles __weak */ ++#ifdef __KERNEL__ ++# if GCC_VERSION >= 40100 && GCC_VERSION <= 40101 ++# error Your version of gcc miscompiles the __weak directive ++# endif ++#endif ++ ++#define __used __attribute__((__used__)) ++#define __compiler_offsetof(a, b) \ ++ __builtin_offsetof(a, b) ++ ++#if GCC_VERSION >= 40100 && GCC_VERSION < 40600 ++# define __compiletime_object_size(obj) __builtin_object_size(obj, 0) ++#endif ++ ++#if GCC_VERSION >= 40300 ++/* Mark functions as cold. gcc will assume any path leading to a call ++ * to them will be unlikely. This means a lot of manual unlikely()s ++ * are unnecessary now for any paths leading to the usual suspects ++ * like BUG(), printk(), panic() etc. [but let's keep them for now for ++ * older compilers] ++ * ++ * Early snapshots of gcc 4.3 don't support this and we can't detect this ++ * in the preprocessor, but we can live with this because they're unreleased. ++ * Maketime probing would be overkill here. ++ * ++ * gcc also has a __attribute__((__hot__)) to move hot functions into ++ * a special section, but I don't see any sense in this right now in ++ * the kernel context ++ */ ++#define __cold __attribute__((__cold__)) ++ ++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) ++ ++#ifndef __CHECKER__ ++# define __compiletime_warning(message) __attribute__((warning(message))) ++# define __compiletime_error(message) __attribute__((error(message))) ++#endif /* __CHECKER__ */ ++#endif /* GCC_VERSION >= 40300 */ ++ ++#if GCC_VERSION >= 40500 ++/* ++ * Mark a position in code as unreachable. This can be used to ++ * suppress control flow warnings after asm blocks that transfer ++ * control elsewhere. ++ * ++ * Early snapshots of gcc 4.5 don't support this and we can't detect ++ * this in the preprocessor, but we can live with this because they're ++ * unreleased. Really, we need to have autoconf for the kernel. ++ */ ++#define unreachable() __builtin_unreachable() ++ ++/* Mark a function definition as prohibited from being cloned. */ ++#define __noclone __attribute__((__noclone__, __optimize__("no-tracer"))) ++ ++#endif /* GCC_VERSION >= 40500 */ ++ ++#if GCC_VERSION >= 40600 ++/* ++ * Tell the optimizer that something else uses this function or variable. ++ */ ++#define __visible __attribute__((externally_visible)) ++#endif ++ ++/* ++ * GCC 'asm goto' miscompiles certain code sequences: ++ * ++ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 ++ * ++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. ++ * ++ * (asm goto is automatically volatile - the naming reflects this.) ++ */ ++#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ++ ++#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP ++#if GCC_VERSION >= 40400 ++#define __HAVE_BUILTIN_BSWAP32__ ++#define __HAVE_BUILTIN_BSWAP64__ ++#endif ++#if GCC_VERSION >= 40800 || (defined(__powerpc__) && GCC_VERSION >= 40600) ++#define __HAVE_BUILTIN_BSWAP16__ ++#endif ++#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ ++ ++#if GCC_VERSION >= 50000 ++#define KASAN_ABI_VERSION 4 ++#elif GCC_VERSION >= 40902 ++#define KASAN_ABI_VERSION 3 ++#endif ++ ++#endif /* gcc version >= 40000 specific checks */ + + #if !defined(__noclone) + #define __noclone /* not needed */ +diff --git a/include/linux/compiler-gcc3.h b/include/linux/compiler-gcc3.h +deleted file mode 100644 +index 7d89febe4d79..000000000000 +--- a/include/linux/compiler-gcc3.h ++++ /dev/null +@@ -1,23 +0,0 @@ +-#ifndef __LINUX_COMPILER_H +-#error "Please don't include directly, include instead." +-#endif +- +-#if GCC_VERSION < 30200 +-# error Sorry, your compiler is too old - please upgrade it. +-#endif +- +-#if GCC_VERSION >= 30300 +-# define __used __attribute__((__used__)) +-#else +-# define __used __attribute__((__unused__)) +-#endif +- +-#if GCC_VERSION >= 30400 +-#define __must_check __attribute__((warn_unused_result)) +-#endif +- +-#ifdef CONFIG_GCOV_KERNEL +-# if GCC_VERSION < 30400 +-# error "GCOV profiling support for gcc versions below 3.4 not included" +-# endif /* __GNUC_MINOR__ */ +-#endif /* CONFIG_GCOV_KERNEL */ +diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h +deleted file mode 100644 +index 2507fd2a1eb4..000000000000 +--- a/include/linux/compiler-gcc4.h ++++ /dev/null +@@ -1,88 +0,0 @@ +-#ifndef __LINUX_COMPILER_H +-#error "Please don't include directly, include instead." +-#endif +- +-/* GCC 4.1.[01] miscompiles __weak */ +-#ifdef __KERNEL__ +-# if GCC_VERSION >= 40100 && GCC_VERSION <= 40101 +-# error Your version of gcc miscompiles the __weak directive +-# endif +-#endif +- +-#define __used __attribute__((__used__)) +-#define __must_check __attribute__((warn_unused_result)) +-#define __compiler_offsetof(a,b) __builtin_offsetof(a,b) +- +-#if GCC_VERSION >= 40100 && GCC_VERSION < 40600 +-# define __compiletime_object_size(obj) __builtin_object_size(obj, 0) +-#endif +- +-#if GCC_VERSION >= 40300 +-/* Mark functions as cold. gcc will assume any path leading to a call +- to them will be unlikely. This means a lot of manual unlikely()s +- are unnecessary now for any paths leading to the usual suspects +- like BUG(), printk(), panic() etc. [but let's keep them for now for +- older compilers] +- +- Early snapshots of gcc 4.3 don't support this and we can't detect this +- in the preprocessor, but we can live with this because they're unreleased. +- Maketime probing would be overkill here. +- +- gcc also has a __attribute__((__hot__)) to move hot functions into +- a special section, but I don't see any sense in this right now in +- the kernel context */ +-#define __cold __attribute__((__cold__)) +- +-#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) +- +-#ifndef __CHECKER__ +-# define __compiletime_warning(message) __attribute__((warning(message))) +-# define __compiletime_error(message) __attribute__((error(message))) +-#endif /* __CHECKER__ */ +-#endif /* GCC_VERSION >= 40300 */ +- +-#if GCC_VERSION >= 40500 +-/* +- * Mark a position in code as unreachable. This can be used to +- * suppress control flow warnings after asm blocks that transfer +- * control elsewhere. +- * +- * Early snapshots of gcc 4.5 don't support this and we can't detect +- * this in the preprocessor, but we can live with this because they're +- * unreleased. Really, we need to have autoconf for the kernel. +- */ +-#define unreachable() __builtin_unreachable() +- +-/* Mark a function definition as prohibited from being cloned. */ +-#define __noclone __attribute__((__noclone__)) +- +-#endif /* GCC_VERSION >= 40500 */ +- +-#if GCC_VERSION >= 40600 +-/* +- * Tell the optimizer that something else uses this function or variable. +- */ +-#define __visible __attribute__((externally_visible)) +-#endif +- +-/* +- * GCC 'asm goto' miscompiles certain code sequences: +- * +- * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 +- * +- * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. +- * Fixed in GCC 4.8.2 and later versions. +- * +- * (asm goto is automatically volatile - the naming reflects this.) +- */ +-#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) +- +-#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP +-#if GCC_VERSION >= 40400 +-#define __HAVE_BUILTIN_BSWAP32__ +-#define __HAVE_BUILTIN_BSWAP64__ +-#endif +-#if GCC_VERSION >= 40800 || (defined(__powerpc__) && GCC_VERSION >= 40600) +-#define __HAVE_BUILTIN_BSWAP16__ +-#endif +-#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ +diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h +deleted file mode 100644 +index cdd1cc202d51..000000000000 +--- a/include/linux/compiler-gcc5.h ++++ /dev/null +@@ -1,66 +0,0 @@ +-#ifndef __LINUX_COMPILER_H +-#error "Please don't include directly, include instead." +-#endif +- +-#define __used __attribute__((__used__)) +-#define __must_check __attribute__((warn_unused_result)) +-#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) +- +-/* Mark functions as cold. gcc will assume any path leading to a call +- to them will be unlikely. This means a lot of manual unlikely()s +- are unnecessary now for any paths leading to the usual suspects +- like BUG(), printk(), panic() etc. [but let's keep them for now for +- older compilers] +- +- Early snapshots of gcc 4.3 don't support this and we can't detect this +- in the preprocessor, but we can live with this because they're unreleased. +- Maketime probing would be overkill here. +- +- gcc also has a __attribute__((__hot__)) to move hot functions into +- a special section, but I don't see any sense in this right now in +- the kernel context */ +-#define __cold __attribute__((__cold__)) +- +-#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) +- +-#ifndef __CHECKER__ +-# define __compiletime_warning(message) __attribute__((warning(message))) +-# define __compiletime_error(message) __attribute__((error(message))) +-#endif /* __CHECKER__ */ +- +-/* +- * Mark a position in code as unreachable. This can be used to +- * suppress control flow warnings after asm blocks that transfer +- * control elsewhere. +- * +- * Early snapshots of gcc 4.5 don't support this and we can't detect +- * this in the preprocessor, but we can live with this because they're +- * unreleased. Really, we need to have autoconf for the kernel. +- */ +-#define unreachable() __builtin_unreachable() +- +-/* Mark a function definition as prohibited from being cloned. */ +-#define __noclone __attribute__((__noclone__)) +- +-/* +- * Tell the optimizer that something else uses this function or variable. +- */ +-#define __visible __attribute__((externally_visible)) +- +-/* +- * GCC 'asm goto' miscompiles certain code sequences: +- * +- * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 +- * +- * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. +- * Fixed in GCC 4.8.2 and later versions. +- * +- * (asm goto is automatically volatile - the naming reflects this.) +- */ +-#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) +- +-#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP +-#define __HAVE_BUILTIN_BSWAP32__ +-#define __HAVE_BUILTIN_BSWAP64__ +-#define __HAVE_BUILTIN_BSWAP16__ +-#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ +diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h +index 45e921401b06..740c6df3b3a7 100644 +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -398,6 +398,7 @@ struct virtio_device_id { + /* + * For Hyper-V devices we use the device guid as the id. + */ ++#define vmbus_device_id hv_vmbus_device_id + struct hv_vmbus_device_id { + __u8 guid[16]; + kernel_ulong_t driver_data; /* Data private to the driver */ +@@ -548,6 +549,11 @@ struct amba_id { + * See documentation of "x86_match_cpu" for details. + */ + ++/* ++ * MODULE_DEVICE_TABLE expects this struct to be called x86cpu_device_id. ++ * Although gcc seems to ignore this error, clang fails without this define. ++ */ ++#define x86cpu_device_id x86_cpu_id + struct x86_cpu_id { + __u16 vendor; + __u16 family; +@@ -575,6 +581,7 @@ struct ipack_device_id { + #define MEI_CL_MODULE_PREFIX "mei:" + #define MEI_CL_NAME_SIZE 32 + ++#define mei_device_id mei_cl_device_id + struct mei_cl_device_id { + char name[MEI_CL_NAME_SIZE]; + kernel_ulong_t driver_info; +@@ -594,6 +601,7 @@ struct mei_cl_device_id { + * Identifies a RapidIO device based on both the device/vendor IDs and + * the assembly device/vendor IDs. + */ ++#define rapidio_device_id rio_device_id + struct rio_device_id { + __u16 did, vid; + __u16 asm_did, asm_vid; +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index bb1ac9cbe30a..a8bd1ca97e03 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -1546,8 +1546,13 @@ event_create_dir(struct dentry *parent, struct ftrace_event_file *file) + trace_create_file("filter", 0644, file->dir, file, + &ftrace_event_filter_fops); + +- trace_create_file("trigger", 0644, file->dir, file, +- &event_trigger_fops); ++ /* ++ * Only event directories that can be enabled should have ++ * triggers. ++ */ ++ if (!(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) ++ trace_create_file("trigger", 0644, file->dir, file, ++ &event_trigger_fops); + + trace_create_file("format", 0444, file->dir, call, + &ftrace_event_format_fops); +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index a953d5b196a3..a4f76e3cdfe3 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -88,6 +88,15 @@ static void _batadv_update_route(struct batadv_priv *bat_priv, + neigh_node = NULL; + + spin_lock_bh(&orig_node->neigh_list_lock); ++ /* curr_router used earlier may not be the current orig_ifinfo->router ++ * anymore because it was dereferenced outside of the neigh_list_lock ++ * protected region. After the new best neighbor has replace the current ++ * best neighbor the reference counter needs to decrease. Consequently, ++ * the code needs to ensure the curr_router variable contains a pointer ++ * to the replaced best neighbor. ++ */ ++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true); ++ + rcu_assign_pointer(orig_ifinfo->router, neigh_node); + spin_unlock_bh(&orig_node->neigh_list_lock); + batadv_orig_ifinfo_free_ref(orig_ifinfo); +diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c +index 843febd1e519..07efffae6829 100644 +--- a/net/batman-adv/send.c ++++ b/net/batman-adv/send.c +@@ -610,6 +610,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->bcast_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } +@@ -637,6 +640,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->batman_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index f82c267e1886..8532f8bb84c4 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -356,11 +356,17 @@ void batadv_interface_rx(struct net_device *soft_iface, + */ + nf_reset(skb); + ++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) ++ goto dropped; ++ + vid = batadv_get_vid(skb, 0); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN)) ++ goto dropped; ++ + vhdr = (struct vlan_ethhdr *)skb->data; + + if (vhdr->h_vlan_encapsulated_proto != ethertype) +@@ -372,8 +378,6 @@ void batadv_interface_rx(struct net_device *soft_iface, + } + + /* skb->dev & skb->pkt_type are set here */ +- if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) +- goto dropped; + skb->protocol = eth_type_trans(skb, soft_iface); + + /* should not be necessary anymore as we use skb_pull_rcsum() +diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c +index bed5f7042529..bb318e4623a3 100644 +--- a/net/netfilter/ipvs/ip_vs_pe_sip.c ++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c +@@ -88,7 +88,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) + dptr = skb->data + dataoff; + datalen = skb->len - dataoff; + +- if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen)) ++ if (get_callid(dptr, 0, datalen, &matchoff, &matchlen)) + return -EINVAL; + + /* N.B: pe_data is only set on success, diff --git a/patch/kernel/cubox-dev/patch-3.14.69-70.patch b/patch/kernel/cubox-dev/patch-3.14.69-70.patch new file mode 100644 index 000000000..9ba538756 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.69-70.patch @@ -0,0 +1,416 @@ +diff --git a/Makefile b/Makefile +index c6762fdfc967..bc3311a0893b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 69 ++SUBLEVEL = 70 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S +index d1dedc8195ed..eafd120b53f1 100644 +--- a/arch/arm/mach-omap2/sleep34xx.S ++++ b/arch/arm/mach-omap2/sleep34xx.S +@@ -203,23 +203,8 @@ save_context_wfi: + */ + ldr r1, kernel_flush + blx r1 +- /* +- * The kernel doesn't interwork: v7_flush_dcache_all in particluar will +- * always return in Thumb state when CONFIG_THUMB2_KERNEL is enabled. +- * This sequence switches back to ARM. Note that .align may insert a +- * nop: bx pc needs to be word-aligned in order to work. +- */ +- THUMB( .thumb ) +- THUMB( .align ) +- THUMB( bx pc ) +- THUMB( nop ) +- .arm +- + b omap3_do_wfi +- +-/* +- * Local variables +- */ ++ENDPROC(omap34xx_cpu_suspend) + omap3_do_wfi_sram_addr: + .word omap3_do_wfi_sram + kernel_flush: +@@ -364,10 +349,7 @@ exit_nonoff_modes: + * =================================== + */ + ldmfd sp!, {r4 - r11, pc} @ restore regs and return +- +-/* +- * Local variables +- */ ++ENDPROC(omap3_do_wfi) + sdrc_power: + .word SDRC_POWER_V + cm_idlest1_core: +diff --git a/crypto/ahash.c b/crypto/ahash.c +index 865ef923eda6..7cddee979ddd 100644 +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -64,8 +64,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk) + struct scatterlist *sg; + + sg = walk->sg; +- walk->pg = sg_page(sg); + walk->offset = sg->offset; ++ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT); ++ walk->offset = offset_in_page(walk->offset); + walk->entrylen = sg->length; + + if (walk->entrylen > walk->total) +diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c +index 834847527982..b60cb76aae51 100644 +--- a/drivers/gpu/drm/i915/intel_crt.c ++++ b/drivers/gpu/drm/i915/intel_crt.c +@@ -259,8 +259,14 @@ static bool intel_crt_compute_config(struct intel_encoder *encoder, + pipe_config->has_pch_encoder = true; + + /* LPT FDI RX only supports 8bpc. */ +- if (HAS_PCH_LPT(dev)) ++ if (HAS_PCH_LPT(dev)) { ++ if (pipe_config->bw_constrained && pipe_config->pipe_bpp < 24) { ++ DRM_DEBUG_KMS("LPT only supports 24bpp\n"); ++ return false; ++ } ++ + pipe_config->pipe_bpp = 24; ++ } + + return true; + } +diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c +index 0db3e208f02a..b205f76400ad 100644 +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -1600,6 +1600,7 @@ static u32 radeon_get_pll_use_mask(struct drm_crtc *crtc) + static int radeon_get_shared_dp_ppll(struct drm_crtc *crtc) + { + struct drm_device *dev = crtc->dev; ++ struct radeon_device *rdev = dev->dev_private; + struct drm_crtc *test_crtc; + struct radeon_crtc *test_radeon_crtc; + +@@ -1609,6 +1610,10 @@ static int radeon_get_shared_dp_ppll(struct drm_crtc *crtc) + test_radeon_crtc = to_radeon_crtc(test_crtc); + if (test_radeon_crtc->encoder && + ENCODER_MODE_IS_DP(atombios_get_encoder_mode(test_radeon_crtc->encoder))) { ++ /* PPLL2 is exclusive to UNIPHYA on DCE61 */ ++ if (ASIC_IS_DCE61(rdev) && !ASIC_IS_DCE8(rdev) && ++ test_radeon_crtc->pll_id == ATOM_PPLL2) ++ continue; + /* for DP use the same PLL for all */ + if (test_radeon_crtc->pll_id != ATOM_PPLL_INVALID) + return test_radeon_crtc->pll_id; +@@ -1630,6 +1635,7 @@ static int radeon_get_shared_nondp_ppll(struct drm_crtc *crtc) + { + struct radeon_crtc *radeon_crtc = to_radeon_crtc(crtc); + struct drm_device *dev = crtc->dev; ++ struct radeon_device *rdev = dev->dev_private; + struct drm_crtc *test_crtc; + struct radeon_crtc *test_radeon_crtc; + u32 adjusted_clock, test_adjusted_clock; +@@ -1645,6 +1651,10 @@ static int radeon_get_shared_nondp_ppll(struct drm_crtc *crtc) + test_radeon_crtc = to_radeon_crtc(test_crtc); + if (test_radeon_crtc->encoder && + !ENCODER_MODE_IS_DP(atombios_get_encoder_mode(test_radeon_crtc->encoder))) { ++ /* PPLL2 is exclusive to UNIPHYA on DCE61 */ ++ if (ASIC_IS_DCE61(rdev) && !ASIC_IS_DCE8(rdev) && ++ test_radeon_crtc->pll_id == ATOM_PPLL2) ++ continue; + /* check if we are already driving this connector with another crtc */ + if (test_radeon_crtc->connector == radeon_crtc->connector) { + /* if we are, return that pll */ +diff --git a/drivers/input/misc/max8997_haptic.c b/drivers/input/misc/max8997_haptic.c +index 1fea5484941f..07ed458f10fa 100644 +--- a/drivers/input/misc/max8997_haptic.c ++++ b/drivers/input/misc/max8997_haptic.c +@@ -245,12 +245,14 @@ static int max8997_haptic_probe(struct platform_device *pdev) + struct max8997_dev *iodev = dev_get_drvdata(pdev->dev.parent); + const struct max8997_platform_data *pdata = + dev_get_platdata(iodev->dev); +- const struct max8997_haptic_platform_data *haptic_pdata = +- pdata->haptic_pdata; ++ const struct max8997_haptic_platform_data *haptic_pdata = NULL; + struct max8997_haptic *chip; + struct input_dev *input_dev; + int error; + ++ if (pdata) ++ haptic_pdata = pdata->haptic_pdata; ++ + if (!haptic_pdata) { + dev_err(&pdev->dev, "no haptic platform data\n"); + return -EINVAL; +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index 265ce1b752ed..96fe542b4acb 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1413,7 +1413,7 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = -EIO; + +- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; ++ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; + netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); + + /* Init PHY as early as possible due to power saving issue */ +diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c +index 769d265b221b..deb7f4bcdb7b 100644 +--- a/drivers/pnp/pnpbios/bioscalls.c ++++ b/drivers/pnp/pnpbios/bioscalls.c +@@ -21,7 +21,7 @@ + + #include "pnpbios.h" + +-static struct { ++__visible struct { + u16 offset; + u16 segment; + } pnp_bios_callpoint; +@@ -41,6 +41,7 @@ asmlinkage void pnp_bios_callfunc(void); + + __asm__(".text \n" + __ALIGN_STR "\n" ++ ".globl pnp_bios_callfunc\n" + "pnp_bios_callfunc:\n" + " pushl %edx \n" + " pushl %ecx \n" +@@ -66,9 +67,9 @@ static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092, + * after PnP BIOS oopses. + */ + +-u32 pnp_bios_fault_esp; +-u32 pnp_bios_fault_eip; +-u32 pnp_bios_is_utter_crap = 0; ++__visible u32 pnp_bios_fault_esp; ++__visible u32 pnp_bios_fault_eip; ++__visible u32 pnp_bios_is_utter_crap = 0; + + static spinlock_t pnp_bios_lock; + +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index 735d7522a3a9..204659a5f6db 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de, + int retnamlen = 0; + int truncate = 0; + int ret = 0; ++ char *p; ++ int len; + + if (!ISOFS_SB(inode->i_sb)->s_rock) + return 0; +@@ -267,12 +269,17 @@ repeat: + rr->u.NM.flags); + break; + } +- if ((strlen(retname) + rr->len - 5) >= 254) { ++ len = rr->len - 5; ++ if (retnamlen + len >= 254) { + truncate = 1; + break; + } +- strncat(retname, rr->u.NM.name, rr->len - 5); +- retnamlen += rr->len - 5; ++ p = memchr(rr->u.NM.name, '\0', len); ++ if (unlikely(p)) ++ len = p - rr->u.NM.name; ++ memcpy(retname + retnamlen, rr->u.NM.name, len); ++ retnamlen += len; ++ retname[retnamlen] = '\0'; + break; + case SIG('R', 'E'): + kfree(rs.buffer); +diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c +index 8d423bc649b9..f876f707fd9e 100644 +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -21,18 +21,19 @@ + #include + #include "br_private.h" + +-/* called with RTNL */ + static int get_bridge_ifindices(struct net *net, int *indices, int num) + { + struct net_device *dev; + int i = 0; + +- for_each_netdev(net, dev) { ++ rcu_read_lock(); ++ for_each_netdev_rcu(net, dev) { + if (i >= num) + break; + if (dev->priv_flags & IFF_EBRIDGE) + indices[i++] = dev->ifindex; + } ++ rcu_read_unlock(); + + return i; + } +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 465092f8fb76..ccccc6bfd21c 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1010,14 +1010,16 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, + goto nla_put_failure; + + if (1) { +- struct rtnl_link_ifmap map = { +- .mem_start = dev->mem_start, +- .mem_end = dev->mem_end, +- .base_addr = dev->base_addr, +- .irq = dev->irq, +- .dma = dev->dma, +- .port = dev->if_port, +- }; ++ struct rtnl_link_ifmap map; ++ ++ memset(&map, 0, sizeof(map)); ++ map.mem_start = dev->mem_start; ++ map.mem_end = dev->mem_end; ++ map.base_addr = dev->base_addr; ++ map.irq = dev->irq; ++ map.dma = dev->dma; ++ map.port = dev->if_port; ++ + if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) + goto nla_put_failure; + } +diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c +index ce0cbbfe0f43..f1ffeff02ad9 100644 +--- a/net/decnet/dn_route.c ++++ b/net/decnet/dn_route.c +@@ -1030,10 +1030,13 @@ source_ok: + if (!fld.daddr) { + fld.daddr = fld.saddr; + +- err = -EADDRNOTAVAIL; + if (dev_out) + dev_put(dev_out); ++ err = -EINVAL; + dev_out = init_net.loopback_dev; ++ if (!dev_out->dn_ptr) ++ goto out; ++ err = -EADDRNOTAVAIL; + dev_hold(dev_out); + if (!fld.daddr) { + fld.daddr = +@@ -1106,6 +1109,8 @@ source_ok: + if (dev_out == NULL) + goto out; + dn_db = rcu_dereference_raw(dev_out->dn_ptr); ++ if (!dn_db) ++ goto e_inval; + /* Possible improvement - check all devices for local addr */ + if (dn_dev_islocal(dev_out, fld.daddr)) { + dev_put(dev_out); +@@ -1147,6 +1152,8 @@ select_source: + dev_put(dev_out); + dev_out = init_net.loopback_dev; + dev_hold(dev_out); ++ if (!dev_out->dn_ptr) ++ goto e_inval; + fld.flowidn_oif = dev_out->ifindex; + if (res.fi) + dn_fib_info_put(res.fi); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 625615cdac86..ad959a149460 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1926,6 +1926,18 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + */ + if (fi && res->prefixlen < 4) + fi = NULL; ++ } else if ((type == RTN_LOCAL) && (orig_oif != 0) && ++ (orig_oif != dev_out->ifindex)) { ++ /* For local routes that require a particular output interface ++ * we do not want to cache the result. Caching the result ++ * causes incorrect behaviour when there are multiple source ++ * addresses on the interface, the end result being that if the ++ * intended recipient is waiting on that interface for the ++ * packet he won't receive it because it will be delivered on ++ * the loopback interface and the IP_PKTINFO ipi_ifindex will ++ * be set to the loopback interface as well. ++ */ ++ fi = NULL; + } + + fnhe = NULL; +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 0080d2b0a8ae..a76a67d38ec3 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) + if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { + struct llc_pktinfo info; + ++ memset(&info, 0, sizeof(info)); + info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; + llc_pdu_decode_dsap(skb, &info.lpi_sap); + llc_pdu_decode_da(skb, info.lpi_mac); +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 25d329a18616..c8078af08108 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3153,6 +3153,7 @@ static int packet_mc_add(struct sock *sk, struct packet_mreq_max *mreq) + i->ifindex = mreq->mr_ifindex; + i->alen = mreq->mr_alen; + memcpy(i->addr, mreq->mr_address, i->alen); ++ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen); + i->count = 1; + i->next = po->mclist; + po->mclist = i; +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 85d232bed87d..e8d3313ea2c9 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1796,27 +1796,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb, + else if (sk->sk_shutdown & RCV_SHUTDOWN) + err = 0; + +- if (copied > 0) { +- /* We only do these additional bookkeeping/notification steps +- * if we actually copied something out of the queue pair +- * instead of just peeking ahead. +- */ +- +- if (!(flags & MSG_PEEK)) { +- /* If the other side has shutdown for sending and there +- * is nothing more to read, then modify the socket +- * state. +- */ +- if (vsk->peer_shutdown & SEND_SHUTDOWN) { +- if (vsock_stream_has_data(vsk) <= 0) { +- sk->sk_state = SS_UNCONNECTED; +- sock_set_flag(sk, SOCK_DONE); +- sk->sk_state_change(sk); +- } +- } +- } ++ if (copied > 0) + err = copied; +- } + + out_wait: + finish_wait(sk_sleep(sk), &wait); +diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c +index 7ecd04c21360..997ff7b2509b 100644 +--- a/net/x25/x25_facilities.c ++++ b/net/x25/x25_facilities.c +@@ -277,6 +277,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, + + memset(&theirs, 0, sizeof(theirs)); + memcpy(new, ours, sizeof(*new)); ++ memset(dte, 0, sizeof(*dte)); + + len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); + if (len < 0) diff --git a/patch/kernel/cubox-dev/patch-3.14.70-71.patch b/patch/kernel/cubox-dev/patch-3.14.70-71.patch new file mode 100644 index 000000000..5d3937d27 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.70-71.patch @@ -0,0 +1,742 @@ +diff --git a/Makefile b/Makefile +index bc3311a0893b..98282e65bb46 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 70 ++SUBLEVEL = 71 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c +index c612e37166ad..2036f191c56f 100644 +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -682,11 +682,14 @@ static int stage2_set_pmd_huge(struct kvm *kvm, struct kvm_mmu_memory_cache + VM_BUG_ON(pmd_present(*pmd) && pmd_pfn(*pmd) != pmd_pfn(*new_pmd)); + + old_pmd = *pmd; +- kvm_set_pmd(pmd, *new_pmd); +- if (pmd_present(old_pmd)) ++ if (pmd_present(old_pmd)) { ++ pmd_clear(pmd); + kvm_tlb_flush_vmid_ipa(kvm, addr); +- else ++ } else { + get_page(virt_to_page(pmd)); ++ } ++ ++ kvm_set_pmd(pmd, *new_pmd); + return 0; + } + +@@ -723,12 +726,14 @@ static int stage2_set_pte(struct kvm *kvm, struct kvm_mmu_memory_cache *cache, + + /* Create 2nd stage page table mapping - Level 3 */ + old_pte = *pte; +- kvm_set_pte(pte, *new_pte); +- if (pte_present(old_pte)) ++ if (pte_present(old_pte)) { ++ kvm_set_pte(pte, __pte(0)); + kvm_tlb_flush_vmid_ipa(kvm, addr); +- else ++ } else { + get_page(virt_to_page(pte)); ++ } + ++ kvm_set_pte(pte, *new_pte); + return 0; + } + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 726c969b8a81..f83020db593a 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -138,7 +138,7 @@ static struct osi_linux { + unsigned int enable:1; + unsigned int dmi:1; + unsigned int cmdline:1; +- unsigned int default_disabling:1; ++ u8 default_disabling; + } osi_linux = {0, 0, 0, 0}; + + static u32 acpi_osi_handler(acpi_string interface, u32 supported) +@@ -1420,10 +1420,13 @@ void __init acpi_osi_setup(char *str) + if (*str == '!') { + str++; + if (*str == '\0') { +- osi_linux.default_disabling = 1; ++ /* Do not override acpi_osi=!* */ ++ if (!osi_linux.default_disabling) ++ osi_linux.default_disabling = ++ ACPI_DISABLE_ALL_VENDOR_STRINGS; + return; + } else if (*str == '*') { +- acpi_update_interfaces(ACPI_DISABLE_ALL_STRINGS); ++ osi_linux.default_disabling = ACPI_DISABLE_ALL_STRINGS; + for (i = 0; i < OSI_STRING_ENTRIES_MAX; i++) { + osi = &osi_setup_entries[i]; + osi->enable = false; +@@ -1496,10 +1499,13 @@ static void __init acpi_osi_setup_late(void) + acpi_status status; + + if (osi_linux.default_disabling) { +- status = acpi_update_interfaces(ACPI_DISABLE_ALL_VENDOR_STRINGS); ++ status = acpi_update_interfaces(osi_linux.default_disabling); + + if (ACPI_SUCCESS(status)) +- printk(KERN_INFO PREFIX "Disabled all _OSI OS vendors\n"); ++ printk(KERN_INFO PREFIX "Disabled all _OSI OS vendors%s\n", ++ osi_linux.default_disabling == ++ ACPI_DISABLE_ALL_STRINGS ? ++ " and feature groups" : ""); + } + + for (i = 0; i < OSI_STRING_ENTRIES_MAX; i++) { +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 1ef6990a5c7e..bbe6643e299d 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -340,6 +340,7 @@ static int vhci_release(struct inode *inode, struct file *file) + hci_free_dev(hdev); + } + ++ skb_queue_purge(&data->readq); + file->private_data = NULL; + kfree(data); + +diff --git a/drivers/crypto/caam/jr.c b/drivers/crypto/caam/jr.c +index b512a4ba7569..33308810d1b5 100644 +--- a/drivers/crypto/caam/jr.c ++++ b/drivers/crypto/caam/jr.c +@@ -244,7 +244,7 @@ static void caam_jr_dequeue(unsigned long devarg) + struct device *caam_jr_alloc(void) + { + struct caam_drv_private_jr *jrpriv, *min_jrpriv = NULL; +- struct device *dev = NULL; ++ struct device *dev = ERR_PTR(-ENODEV); + int min_tfm_cnt = INT_MAX; + int tfm_cnt; + +diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c +index 5ee50f779ef6..0ce45874c14b 100644 +--- a/drivers/mfd/omap-usb-tll.c ++++ b/drivers/mfd/omap-usb-tll.c +@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct platform_device *pdev) + + if (IS_ERR(tll->ch_clk[i])) + dev_dbg(dev, "can't get clock : %s\n", clkname); ++ else ++ clk_prepare(tll->ch_clk[i]); + } + + pm_runtime_put_sync(dev); +@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct platform_device *pdev) + tll_dev = NULL; + spin_unlock(&tll_lock); + +- for (i = 0; i < tll->nch; i++) +- if (!IS_ERR(tll->ch_clk[i])) ++ for (i = 0; i < tll->nch; i++) { ++ if (!IS_ERR(tll->ch_clk[i])) { ++ clk_unprepare(tll->ch_clk[i]); + clk_put(tll->ch_clk[i]); ++ } ++ } + + pm_runtime_disable(&pdev->dev); + return 0; +@@ -421,7 +426,7 @@ int omap_tll_enable(struct usbhs_omap_platform_data *pdata) + if (IS_ERR(tll->ch_clk[i])) + continue; + +- r = clk_prepare_enable(tll->ch_clk[i]); ++ r = clk_enable(tll->ch_clk[i]); + if (r) { + dev_err(tll_dev, + "Error enabling ch %d clock: %d\n", i, r); +@@ -449,7 +454,7 @@ int omap_tll_disable(struct usbhs_omap_platform_data *pdata) + for (i = 0; i < tll->nch; i++) { + if (omap_usb_mode_needs_tll(pdata->port_mode[i])) { + if (!IS_ERR(tll->ch_clk[i])) +- clk_disable_unprepare(tll->ch_clk[i]); ++ clk_disable(tll->ch_clk[i]); + } + } + +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index 92aeb1d2b41b..508380b6a10d 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -2352,11 +2352,12 @@ static const struct mmc_fixup blk_fixups[] = + MMC_QUIRK_BLK_NO_CMD23), + + /* +- * Some Micron MMC cards needs longer data read timeout than +- * indicated in CSD. ++ * Some MMC cards need longer data read timeout than indicated in CSD. + */ + MMC_FIXUP(CID_NAME_ANY, CID_MANFID_MICRON, 0x200, add_quirk_mmc, + MMC_QUIRK_LONG_READ_TIME), ++ MMC_FIXUP("008GE0", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc, ++ MMC_QUIRK_LONG_READ_TIME), + + /* + * On these Samsung MoviNAND parts, performing secure erase or +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c +index 4a50b5049c51..1bbe372a9e04 100644 +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -822,11 +822,11 @@ void mmc_set_data_timeout(struct mmc_data *data, const struct mmc_card *card) + /* + * Some cards require longer data read timeout than indicated in CSD. + * Address this by setting the read timeout to a "reasonably high" +- * value. For the cards tested, 300ms has proven enough. If necessary, ++ * value. For the cards tested, 600ms has proven enough. If necessary, + * this value can be increased if other problematic cards require this. + */ + if (mmc_card_long_read_time(card) && data->flags & MMC_DATA_READ) { +- data->timeout_ns = 300000000; ++ data->timeout_ns = 600000000; + data->timeout_clks = 0; + } + +diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c +index 98e9eb0f6643..229407229ecd 100644 +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -267,6 +267,9 @@ static void mmc_select_card_type(struct mmc_card *card) + card->ext_csd.card_type = card_type; + } + ++/* Minimum partition switch timeout in milliseconds */ ++#define MMC_MIN_PART_SWITCH_TIME 300 ++ + /* + * Decode extended CSD. + */ +@@ -331,6 +334,10 @@ static int mmc_read_ext_csd(struct mmc_card *card, u8 *ext_csd) + + /* EXT_CSD value is in units of 10ms, but we store in ms */ + card->ext_csd.part_time = 10 * ext_csd[EXT_CSD_PART_SWITCH_TIME]; ++ /* Some eMMC set the value too low so set a minimum */ ++ if (card->ext_csd.part_time && ++ card->ext_csd.part_time < MMC_MIN_PART_SWITCH_TIME) ++ card->ext_csd.part_time = MMC_MIN_PART_SWITCH_TIME; + + /* Sleep / awake timeout in 100ns units */ + if (sa_shift > 0 && sa_shift <= 0x17) +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 7d3a3f5cb5ba..0a70d12fe33c 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -734,6 +734,8 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + /* check to see if we need to change clock source */ + + if (ourport->baudclk != clk) { ++ clk_prepare_enable(clk); ++ + s3c24xx_serial_setsource(port, clk_sel); + + if (!IS_ERR(ourport->baudclk)) { +@@ -741,8 +743,6 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + ourport->baudclk = ERR_PTR(-EINVAL); + } + +- clk_prepare_enable(clk); +- + ourport->baudclk = clk; + ourport->baudclk_rate = clk ? clk_get_rate(clk) : 0; + } +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 693091ab726b..abf17b6fe237 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -3512,9 +3512,10 @@ static int do_register_con_driver(const struct consw *csw, int first, int last) + goto err; + + desc = csw->con_startup(); +- +- if (!desc) ++ if (!desc) { ++ retval = -ENODEV; + goto err; ++ } + + retval = -EINVAL; + +diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c +index c0866971db2b..1947ea0e0988 100644 +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2856,14 +2856,16 @@ static int edge_startup(struct usb_serial *serial) + /* not set up yet, so do it now */ + edge_serial->interrupt_read_urb = + usb_alloc_urb(0, GFP_KERNEL); +- if (!edge_serial->interrupt_read_urb) +- return -ENOMEM; ++ if (!edge_serial->interrupt_read_urb) { ++ response = -ENOMEM; ++ break; ++ } + + edge_serial->interrupt_in_buffer = + kmalloc(buffer_size, GFP_KERNEL); + if (!edge_serial->interrupt_in_buffer) { +- usb_free_urb(edge_serial->interrupt_read_urb); +- return -ENOMEM; ++ response = -ENOMEM; ++ break; + } + edge_serial->interrupt_in_endpoint = + endpoint->bEndpointAddress; +@@ -2891,14 +2893,16 @@ static int edge_startup(struct usb_serial *serial) + /* not set up yet, so do it now */ + edge_serial->read_urb = + usb_alloc_urb(0, GFP_KERNEL); +- if (!edge_serial->read_urb) +- return -ENOMEM; ++ if (!edge_serial->read_urb) { ++ response = -ENOMEM; ++ break; ++ } + + edge_serial->bulk_in_buffer = + kmalloc(buffer_size, GFP_KERNEL); + if (!edge_serial->bulk_in_buffer) { +- usb_free_urb(edge_serial->read_urb); +- return -ENOMEM; ++ response = -ENOMEM; ++ break; + } + edge_serial->bulk_in_endpoint = + endpoint->bEndpointAddress; +@@ -2924,9 +2928,22 @@ static int edge_startup(struct usb_serial *serial) + } + } + +- if (!interrupt_in_found || !bulk_in_found || !bulk_out_found) { +- dev_err(ddev, "Error - the proper endpoints were not found!\n"); +- return -ENODEV; ++ if (response || !interrupt_in_found || !bulk_in_found || ++ !bulk_out_found) { ++ if (!response) { ++ dev_err(ddev, "expected endpoints not found\n"); ++ response = -ENODEV; ++ } ++ ++ usb_free_urb(edge_serial->interrupt_read_urb); ++ kfree(edge_serial->interrupt_in_buffer); ++ ++ usb_free_urb(edge_serial->read_urb); ++ kfree(edge_serial->bulk_in_buffer); ++ ++ kfree(edge_serial); ++ ++ return response; + } + + /* start interrupt read for this edgeport this interrupt will +@@ -2949,16 +2966,9 @@ static void edge_disconnect(struct usb_serial *serial) + { + struct edgeport_serial *edge_serial = usb_get_serial_data(serial); + +- /* stop reads and writes on all ports */ +- /* free up our endpoint stuff */ + if (edge_serial->is_epic) { + usb_kill_urb(edge_serial->interrupt_read_urb); +- usb_free_urb(edge_serial->interrupt_read_urb); +- kfree(edge_serial->interrupt_in_buffer); +- + usb_kill_urb(edge_serial->read_urb); +- usb_free_urb(edge_serial->read_urb); +- kfree(edge_serial->bulk_in_buffer); + } + } + +@@ -2971,6 +2981,16 @@ static void edge_release(struct usb_serial *serial) + { + struct edgeport_serial *edge_serial = usb_get_serial_data(serial); + ++ if (edge_serial->is_epic) { ++ usb_kill_urb(edge_serial->interrupt_read_urb); ++ usb_free_urb(edge_serial->interrupt_read_urb); ++ kfree(edge_serial->interrupt_in_buffer); ++ ++ usb_kill_urb(edge_serial->read_urb); ++ usb_free_urb(edge_serial->read_urb); ++ kfree(edge_serial->bulk_in_buffer); ++ } ++ + kfree(edge_serial); + } + +diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c +index 35297a845a63..118dba285b5d 100644 +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -2406,6 +2406,10 @@ static void keyspan_release(struct usb_serial *serial) + + s_priv = usb_get_serial_data(serial); + ++ /* Make sure to unlink the URBs submitted in attach. */ ++ usb_kill_urb(s_priv->instat_urb); ++ usb_kill_urb(s_priv->indat_urb); ++ + usb_free_urb(s_priv->instat_urb); + usb_free_urb(s_priv->indat_urb); + usb_free_urb(s_priv->glocont_urb); +diff --git a/drivers/usb/serial/mxuport.c b/drivers/usb/serial/mxuport.c +index 460a40669967..d029b2fc0f75 100644 +--- a/drivers/usb/serial/mxuport.c ++++ b/drivers/usb/serial/mxuport.c +@@ -1263,6 +1263,15 @@ static int mxuport_attach(struct usb_serial *serial) + return 0; + } + ++static void mxuport_release(struct usb_serial *serial) ++{ ++ struct usb_serial_port *port0 = serial->port[0]; ++ struct usb_serial_port *port1 = serial->port[1]; ++ ++ usb_serial_generic_close(port1); ++ usb_serial_generic_close(port0); ++} ++ + static int mxuport_open(struct tty_struct *tty, struct usb_serial_port *port) + { + struct mxuport_port *mxport = usb_get_serial_port_data(port); +@@ -1365,6 +1374,7 @@ static struct usb_serial_driver mxuport_device = { + .probe = mxuport_probe, + .port_probe = mxuport_port_probe, + .attach = mxuport_attach, ++ .release = mxuport_release, + .calc_num_ports = mxuport_calc_num_ports, + .open = mxuport_open, + .close = mxuport_close, +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 99c89d7fa1ad..bcb6f5c2bae4 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -375,18 +375,22 @@ static void option_instat_callback(struct urb *urb); + #define HAIER_PRODUCT_CE81B 0x10f8 + #define HAIER_PRODUCT_CE100 0x2009 + +-/* Cinterion (formerly Siemens) products */ +-#define SIEMENS_VENDOR_ID 0x0681 +-#define CINTERION_VENDOR_ID 0x1e2d ++/* Gemalto's Cinterion products (formerly Siemens) */ ++#define SIEMENS_VENDOR_ID 0x0681 ++#define CINTERION_VENDOR_ID 0x1e2d ++#define CINTERION_PRODUCT_HC25_MDMNET 0x0040 + #define CINTERION_PRODUCT_HC25_MDM 0x0047 +-#define CINTERION_PRODUCT_HC25_MDMNET 0x0040 ++#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */ + #define CINTERION_PRODUCT_HC28_MDM 0x004C +-#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */ + #define CINTERION_PRODUCT_EU3_E 0x0051 + #define CINTERION_PRODUCT_EU3_P 0x0052 + #define CINTERION_PRODUCT_PH8 0x0053 + #define CINTERION_PRODUCT_AHXX 0x0055 + #define CINTERION_PRODUCT_PLXX 0x0060 ++#define CINTERION_PRODUCT_PH8_2RMNET 0x0082 ++#define CINTERION_PRODUCT_PH8_AUDIO 0x0083 ++#define CINTERION_PRODUCT_AHXX_2RMNET 0x0084 ++#define CINTERION_PRODUCT_AHXX_AUDIO 0x0085 + + /* Olivetti products */ + #define OLIVETTI_VENDOR_ID 0x0b3c +@@ -641,6 +645,10 @@ static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { + .reserved = BIT(1) | BIT(2) | BIT(3), + }; + ++static const struct option_blacklist_info cinterion_rmnet2_blacklist = { ++ .reserved = BIT(4) | BIT(5), ++}; ++ + static const struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, +@@ -1712,7 +1720,13 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, +- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff), ++ .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist }, ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) }, ++ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) }, + { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) }, + { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) }, +diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c +index 7725ed261ed6..62e449db24c3 100644 +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -141,6 +141,7 @@ static void qt2_release(struct usb_serial *serial) + + serial_priv = usb_get_serial_data(serial); + ++ usb_kill_urb(serial_priv->read_urb); + usb_free_urb(serial_priv->read_urb); + kfree(serial_priv->read_buffer); + kfree(serial_priv); +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index d40ae42ba6d4..a65fa2ae094f 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1574,7 +1574,7 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file, + + src_inode = file_inode(src.file); + if (src_inode->i_sb != file_inode(file)->i_sb) { +- btrfs_info(BTRFS_I(src_inode)->root->fs_info, ++ btrfs_info(BTRFS_I(file_inode(file))->root->fs_info, + "Snapshot src from another FS"); + ret = -EINVAL; + } else if (!inode_owner_or_capable(src_inode)) { +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index e87387dbf39f..bbb50be00ef5 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -399,19 +399,27 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + sec_blob->LmChallengeResponse.MaximumLength = 0; + + sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer); +- rc = setup_ntlmv2_rsp(ses, nls_cp); +- if (rc) { +- cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); +- goto setup_ntlmv2_ret; +- } +- memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, +- ses->auth_key.len - CIFS_SESS_KEY_SIZE); +- tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; ++ if (ses->user_name != NULL) { ++ rc = setup_ntlmv2_rsp(ses, nls_cp); ++ if (rc) { ++ cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); ++ goto setup_ntlmv2_ret; ++ } ++ memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, ++ ses->auth_key.len - CIFS_SESS_KEY_SIZE); ++ tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; + +- sec_blob->NtChallengeResponse.Length = +- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); +- sec_blob->NtChallengeResponse.MaximumLength = +- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); ++ sec_blob->NtChallengeResponse.Length = ++ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); ++ sec_blob->NtChallengeResponse.MaximumLength = ++ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); ++ } else { ++ /* ++ * don't send an NT Response for anonymous access ++ */ ++ sec_blob->NtChallengeResponse.Length = 0; ++ sec_blob->NtChallengeResponse.MaximumLength = 0; ++ } + + if (ses->domainName == NULL) { + sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); +diff --git a/fs/cifs/smb2glob.h b/fs/cifs/smb2glob.h +index bc0bb9c34f72..0ffa18094335 100644 +--- a/fs/cifs/smb2glob.h ++++ b/fs/cifs/smb2glob.h +@@ -44,6 +44,7 @@ + #define SMB2_OP_DELETE 7 + #define SMB2_OP_HARDLINK 8 + #define SMB2_OP_SET_EOF 9 ++#define SMB2_OP_RMDIR 10 + + /* Used when constructing chained read requests. */ + #define CHAINED_REQUEST 1 +diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c +index 215f8d3e3e53..f970c5d5b253 100644 +--- a/fs/cifs/smb2inode.c ++++ b/fs/cifs/smb2inode.c +@@ -80,6 +80,10 @@ smb2_open_op_close(const unsigned int xid, struct cifs_tcon *tcon, + * SMB2_open() call. + */ + break; ++ case SMB2_OP_RMDIR: ++ tmprc = SMB2_rmdir(xid, tcon, fid.persistent_fid, ++ fid.volatile_fid); ++ break; + case SMB2_OP_RENAME: + tmprc = SMB2_rename(xid, tcon, fid.persistent_fid, + fid.volatile_fid, (__le16 *)data); +@@ -191,8 +195,8 @@ smb2_rmdir(const unsigned int xid, struct cifs_tcon *tcon, const char *name, + struct cifs_sb_info *cifs_sb) + { + return smb2_open_op_close(xid, tcon, cifs_sb, name, DELETE, FILE_OPEN, +- CREATE_NOT_FILE | CREATE_DELETE_ON_CLOSE, +- NULL, SMB2_OP_DELETE); ++ CREATE_NOT_FILE, ++ NULL, SMB2_OP_RMDIR); + } + + int +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index ae375dff03da..fc656bc5d6cb 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2291,6 +2291,22 @@ SMB2_rename(const unsigned int xid, struct cifs_tcon *tcon, + } + + int ++SMB2_rmdir(const unsigned int xid, struct cifs_tcon *tcon, ++ u64 persistent_fid, u64 volatile_fid) ++{ ++ __u8 delete_pending = 1; ++ void *data; ++ unsigned int size; ++ ++ data = &delete_pending; ++ size = 1; /* sizeof __u8 */ ++ ++ return send_set_info(xid, tcon, persistent_fid, volatile_fid, ++ current->tgid, FILE_DISPOSITION_INFORMATION, 1, &data, ++ &size); ++} ++ ++int + SMB2_set_hardlink(const unsigned int xid, struct cifs_tcon *tcon, + u64 persistent_fid, u64 volatile_fid, __le16 *target_file) + { +diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h +index 0ce48db20a65..8e0d57bf446b 100644 +--- a/fs/cifs/smb2proto.h ++++ b/fs/cifs/smb2proto.h +@@ -134,6 +134,8 @@ extern int SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, + extern int SMB2_rename(const unsigned int xid, struct cifs_tcon *tcon, + u64 persistent_fid, u64 volatile_fid, + __le16 *target_file); ++extern int SMB2_rmdir(const unsigned int xid, struct cifs_tcon *tcon, ++ u64 persistent_fid, u64 volatile_fid); + extern int SMB2_set_hardlink(const unsigned int xid, struct cifs_tcon *tcon, + u64 persistent_fid, u64 volatile_fid, + __le16 *target_file); +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index c798ed2fc281..0d3af0a47c6d 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -463,7 +463,7 @@ struct ring_buffer_per_cpu { + raw_spinlock_t reader_lock; /* serialize readers */ + arch_spinlock_t lock; + struct lock_class_key lock_key; +- unsigned int nr_pages; ++ unsigned long nr_pages; + struct list_head *pages; + struct buffer_page *head_page; /* read from head */ + struct buffer_page *tail_page; /* write to tail */ +@@ -483,7 +483,7 @@ struct ring_buffer_per_cpu { + u64 write_stamp; + u64 read_stamp; + /* ring buffer pages to update, > 0 to add, < 0 to remove */ +- int nr_pages_to_update; ++ long nr_pages_to_update; + struct list_head new_pages; /* new pages to add */ + struct work_struct update_pages_work; + struct completion update_done; +@@ -1120,10 +1120,10 @@ static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) + return 0; + } + +-static int __rb_allocate_pages(int nr_pages, struct list_head *pages, int cpu) ++static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu) + { +- int i; + struct buffer_page *bpage, *tmp; ++ long i; + + for (i = 0; i < nr_pages; i++) { + struct page *page; +@@ -1160,7 +1160,7 @@ free_pages: + } + + static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, +- unsigned nr_pages) ++ unsigned long nr_pages) + { + LIST_HEAD(pages); + +@@ -1185,7 +1185,7 @@ static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, + } + + static struct ring_buffer_per_cpu * +-rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu) ++rb_allocate_cpu_buffer(struct ring_buffer *buffer, long nr_pages, int cpu) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct buffer_page *bpage; +@@ -1284,8 +1284,9 @@ struct ring_buffer *__ring_buffer_alloc(unsigned long size, unsigned flags, + struct lock_class_key *key) + { + struct ring_buffer *buffer; ++ long nr_pages; + int bsize; +- int cpu, nr_pages; ++ int cpu; + + /* keep it in its own cache line */ + buffer = kzalloc(ALIGN(sizeof(*buffer), cache_line_size()), +@@ -1408,12 +1409,12 @@ static inline unsigned long rb_page_write(struct buffer_page *bpage) + } + + static int +-rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) ++rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) + { + struct list_head *tail_page, *to_remove, *next_page; + struct buffer_page *to_remove_page, *tmp_iter_page; + struct buffer_page *last_page, *first_page; +- unsigned int nr_removed; ++ unsigned long nr_removed; + unsigned long head_bit; + int page_entries; + +@@ -1630,7 +1631,7 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, + int cpu_id) + { + struct ring_buffer_per_cpu *cpu_buffer; +- unsigned nr_pages; ++ unsigned long nr_pages; + int cpu, err = 0; + + /* +@@ -1644,14 +1645,13 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, + !cpumask_test_cpu(cpu_id, buffer->cpumask)) + return size; + +- size = DIV_ROUND_UP(size, BUF_PAGE_SIZE); +- size *= BUF_PAGE_SIZE; ++ nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); + + /* we need a minimum of two pages */ +- if (size < BUF_PAGE_SIZE * 2) +- size = BUF_PAGE_SIZE * 2; ++ if (nr_pages < 2) ++ nr_pages = 2; + +- nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); ++ size = nr_pages * BUF_PAGE_SIZE; + + /* + * Don't succeed if resizing is disabled, as a reader might be +@@ -4609,8 +4609,9 @@ static int rb_cpu_notify(struct notifier_block *self, + struct ring_buffer *buffer = + container_of(self, struct ring_buffer, cpu_notify); + long cpu = (long)hcpu; +- int cpu_i, nr_pages_same; +- unsigned int nr_pages; ++ long nr_pages_same; ++ int cpu_i; ++ unsigned long nr_pages; + + switch (action) { + case CPU_UP_PREPARE: diff --git a/patch/kernel/cubox-dev/patch-3.14.71-72.patch b/patch/kernel/cubox-dev/patch-3.14.71-72.patch new file mode 100644 index 000000000..bbab1bb6a --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.71-72.patch @@ -0,0 +1,521 @@ +diff --git a/Makefile b/Makefile +index 98282e65bb46..6155aaf6342a 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 71 ++SUBLEVEL = 72 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/mips/ath79/early_printk.c b/arch/mips/ath79/early_printk.c +index b955fafc58ba..d1adc59af5bf 100644 +--- a/arch/mips/ath79/early_printk.c ++++ b/arch/mips/ath79/early_printk.c +@@ -31,13 +31,15 @@ static inline void prom_putchar_wait(void __iomem *reg, u32 mask, u32 val) + } while (1); + } + ++#define BOTH_EMPTY (UART_LSR_TEMT | UART_LSR_THRE) ++ + static void prom_putchar_ar71xx(unsigned char ch) + { + void __iomem *base = (void __iomem *)(KSEG1ADDR(AR71XX_UART_BASE)); + +- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE); ++ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY); + __raw_writel(ch, base + UART_TX * 4); +- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE); ++ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY); + } + + static void prom_putchar_ar933x(unsigned char ch) +diff --git a/arch/mips/include/uapi/asm/siginfo.h b/arch/mips/include/uapi/asm/siginfo.h +index e81174432bab..6e1218ae916c 100644 +--- a/arch/mips/include/uapi/asm/siginfo.h ++++ b/arch/mips/include/uapi/asm/siginfo.h +@@ -48,13 +48,13 @@ typedef struct siginfo { + + /* kill() */ + struct { +- pid_t _pid; /* sender's pid */ ++ __kernel_pid_t _pid; /* sender's pid */ + __ARCH_SI_UID_T _uid; /* sender's uid */ + } _kill; + + /* POSIX.1b timers */ + struct { +- timer_t _tid; /* timer id */ ++ __kernel_timer_t _tid; /* timer id */ + int _overrun; /* overrun count */ + char _pad[sizeof( __ARCH_SI_UID_T) - sizeof(int)]; + sigval_t _sigval; /* same as below */ +@@ -63,26 +63,26 @@ typedef struct siginfo { + + /* POSIX.1b signals */ + struct { +- pid_t _pid; /* sender's pid */ ++ __kernel_pid_t _pid; /* sender's pid */ + __ARCH_SI_UID_T _uid; /* sender's uid */ + sigval_t _sigval; + } _rt; + + /* SIGCHLD */ + struct { +- pid_t _pid; /* which child */ ++ __kernel_pid_t _pid; /* which child */ + __ARCH_SI_UID_T _uid; /* sender's uid */ + int _status; /* exit code */ +- clock_t _utime; +- clock_t _stime; ++ __kernel_clock_t _utime; ++ __kernel_clock_t _stime; + } _sigchld; + + /* IRIX SIGCHLD */ + struct { +- pid_t _pid; /* which child */ +- clock_t _utime; ++ __kernel_pid_t _pid; /* which child */ ++ __kernel_clock_t _utime; + int _status; /* exit code */ +- clock_t _stime; ++ __kernel_clock_t _stime; + } _irix_sigchld; + + /* SIGILL, SIGFPE, SIGSEGV, SIGBUS */ +diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c +index 0b4e2e38294b..68af633cba76 100644 +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -676,9 +676,11 @@ static int isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn, + case spec_op: + switch (insn.r_format.func) { + case jalr_op: +- regs->regs[insn.r_format.rd] = +- regs->cp0_epc + dec_insn.pc_inc + +- dec_insn.next_pc_inc; ++ if (insn.r_format.rd != 0) { ++ regs->regs[insn.r_format.rd] = ++ regs->cp0_epc + dec_insn.pc_inc + ++ dec_insn.next_pc_inc; ++ } + /* Fall through */ + case jr_op: + *contpc = regs->regs[insn.r_format.rs]; +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 5193116eadc0..2c35b11a14c0 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -946,11 +946,6 @@ hv_facility_unavailable_relon_trampoline: + #endif + STD_RELON_EXCEPTION_PSERIES(0x5700, 0x1700, altivec_assist) + +- /* Other future vectors */ +- .align 7 +- .globl __end_interrupts +-__end_interrupts: +- + .align 7 + system_call_entry_direct: + #if defined(CONFIG_RELOCATABLE) +@@ -1304,6 +1299,17 @@ __end_handlers: + STD_RELON_EXCEPTION_PSERIES_OOL(0xf60, facility_unavailable) + STD_RELON_EXCEPTION_HV_OOL(0xf80, hv_facility_unavailable) + ++ /* ++ * The __end_interrupts marker must be past the out-of-line (OOL) ++ * handlers, so that they are copied to real address 0x100 when running ++ * a relocatable kernel. This ensures they can be reached from the short ++ * trampoline handlers (like 0x4f00, 0x4f20, etc.) which branch ++ * directly, without using LOAD_HANDLER(). ++ */ ++ .align 7 ++ .globl __end_interrupts ++__end_interrupts: ++ + #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_PPC_POWERNV) + /* + * Data area reserved for FWNMI option. +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 1adc039fe74d..7a8f94d834f9 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -313,6 +313,8 @@ static void __cpuidle_unregister_device(struct cpuidle_device *dev) + list_del(&dev->device_list); + per_cpu(cpuidle_devices, dev->cpu) = NULL; + module_put(drv->owner); ++ ++ dev->registered = 0; + } + + static void __cpuidle_device_init(struct cpuidle_device *dev) +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index 98a03639b413..68d54c7d01bf 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1347,7 +1347,6 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, + int n, int width, int height) + { + int c, o; +- struct drm_device *dev = fb_helper->dev; + struct drm_connector *connector; + struct drm_connector_helper_funcs *connector_funcs; + struct drm_encoder *encoder; +@@ -1366,7 +1365,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, + if (modes[n] == NULL) + return best_score; + +- crtcs = kzalloc(dev->mode_config.num_connector * ++ crtcs = kzalloc(fb_helper->connector_count * + sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL); + if (!crtcs) + return best_score; +@@ -1412,7 +1411,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, + if (score > best_score) { + best_score = score; + memcpy(best_crtcs, crtcs, +- dev->mode_config.num_connector * ++ fb_helper->connector_count * + sizeof(struct drm_fb_helper_crtc *)); + } + } +diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c +index 489ffd2c66e5..a3d37e4a84ae 100644 +--- a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c ++++ b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c +@@ -85,7 +85,7 @@ static const char *const dsi_errors[] = { + "RX Prot Violation", + "HS Generic Write FIFO Full", + "LP Generic Write FIFO Full", +- "Generic Read Data Avail" ++ "Generic Read Data Avail", + "Special Packet Sent", + "Tearing Effect", + }; +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index 772835938a52..46631c62e9a4 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -845,9 +845,15 @@ static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + } + + #ifdef CONFIG_COMPAT ++ ++#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) ++ + static long uinput_compat_ioctl(struct file *file, + unsigned int cmd, unsigned long arg) + { ++ if (cmd == UI_SET_PHYS_COMPAT) ++ cmd = UI_SET_PHYS; ++ + return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg)); + } + #endif +diff --git a/drivers/net/wireless/ath/ath5k/led.c b/drivers/net/wireless/ath/ath5k/led.c +index f77ef36acf87..61879b1f7083 100644 +--- a/drivers/net/wireless/ath/ath5k/led.c ++++ b/drivers/net/wireless/ath/ath5k/led.c +@@ -77,7 +77,7 @@ static DEFINE_PCI_DEVICE_TABLE(ath5k_led_devices) = { + /* HP Compaq CQ60-206US (ddreggors@jumptv.com) */ + { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137a), ATH_LED(3, 1) }, + /* HP Compaq C700 (nitrousnrg@gmail.com) */ +- { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 1) }, ++ { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 0) }, + /* LiteOn AR5BXB63 (magooz@salug.it) */ + { ATH_SDEVICE(PCI_VENDOR_ID_ATHEROS, 0x3067), ATH_LED(3, 0) }, + /* IBM-specific AR5212 (all others) */ +diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c +index 93bb384eb001..0484de7847e9 100644 +--- a/drivers/net/wireless/rtlwifi/base.c ++++ b/drivers/net/wireless/rtlwifi/base.c +@@ -1401,9 +1401,9 @@ void rtl_watchdog_wq_callback(void *data) + if (((rtlpriv->link_info.num_rx_inperiod + + rtlpriv->link_info.num_tx_inperiod) > 8) || + (rtlpriv->link_info.num_rx_inperiod > 2)) +- rtlpriv->enter_ps = true; +- else + rtlpriv->enter_ps = false; ++ else ++ rtlpriv->enter_ps = true; + + /* LeisurePS only work in infra mode. */ + schedule_work(&rtlpriv->works.lps_change_work); +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 146b13752572..58e81e0389bb 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -175,9 +175,6 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, + struct pci_bus_region region, inverted_region; + bool bar_too_big = false, bar_disabled = false; + +- if (dev->non_compliant_bars) +- return 0; +- + mask = type ? PCI_ROM_ADDRESS_MASK : ~0; + + /* No printks while decoding is disabled! */ +@@ -319,6 +316,9 @@ static void pci_read_bases(struct pci_dev *dev, unsigned int howmany, int rom) + { + unsigned int pos, reg; + ++ if (dev->non_compliant_bars) ++ return; ++ + for (pos = 0; pos < howmany; pos++) { + struct resource *res = &dev->resource[pos]; + reg = PCI_BASE_ADDRESS_0 + (pos << 2); +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index 6b32ddcefc11..ce177a50ec05 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -590,10 +590,10 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size, + } + return -EFAULT; + } +- /* We used to udelay() here but that absorbed +- * a CPU when a timeout occured. Not very +- * useful. */ +- cpu_relax(); ++ /* ++ * Allow other processes / CPUS to use core ++ */ ++ schedule(); + } + } else if (down_interruptible(&fibptr->event_wait)) { + /* Do nothing ... satisfy +@@ -1921,6 +1921,10 @@ int aac_command_thread(void *data) + if (difference <= 0) + difference = 1; + set_current_state(TASK_INTERRUPTIBLE); ++ ++ if (kthread_should_stop()) ++ break; ++ + schedule_timeout(difference); + + if (kthread_should_stop()) +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 082b23be5409..68b7810139e8 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -506,7 +506,8 @@ static void eoi_pirq(struct irq_data *data) + if (!VALID_EVTCHN(evtchn)) + return; + +- if (unlikely(irqd_is_setaffinity_pending(data))) { ++ if (unlikely(irqd_is_setaffinity_pending(data)) && ++ likely(!irqd_irq_disabled(data))) { + int masked = test_and_set_mask(evtchn); + + clear_evtchn(evtchn); +@@ -1408,7 +1409,8 @@ static void ack_dynirq(struct irq_data *data) + if (!VALID_EVTCHN(evtchn)) + return; + +- if (unlikely(irqd_is_setaffinity_pending(data))) { ++ if (unlikely(irqd_is_setaffinity_pending(data)) && ++ likely(!irqd_irq_disabled(data))) { + int masked = test_and_set_mask(evtchn); + + clear_evtchn(evtchn); +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index a8d1a64d8cb0..4920cbdd47cc 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -1097,11 +1097,13 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino) + goto iget_failed; + + /* +- * If the orphans has i_nlinks > 0 then it should be able to be +- * truncated, otherwise it won't be removed from the orphan list +- * during processing and an infinite loop will result. ++ * If the orphans has i_nlinks > 0 then it should be able to ++ * be truncated, otherwise it won't be removed from the orphan ++ * list during processing and an infinite loop will result. ++ * Similarly, it must not be a bad inode. + */ +- if (inode->i_nlink && !ext4_can_truncate(inode)) ++ if ((inode->i_nlink && !ext4_can_truncate(inode)) || ++ is_bad_inode(inode)) + goto bad_orphan; + + if (NEXT_ORPHAN(inode) > max_ino) +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index c4a5e4df8ca3..4a79ce1ecaa1 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1236,6 +1236,7 @@ static void ext4_mb_unload_buddy(struct ext4_buddy *e4b) + static int mb_find_order_for_block(struct ext4_buddy *e4b, int block) + { + int order = 1; ++ int bb_incr = 1 << (e4b->bd_blkbits - 1); + void *bb; + + BUG_ON(e4b->bd_bitmap == e4b->bd_buddy); +@@ -1248,7 +1249,8 @@ static int mb_find_order_for_block(struct ext4_buddy *e4b, int block) + /* this block is part of buddy of order 'order' */ + return order; + } +- bb += 1 << (e4b->bd_blkbits - order); ++ bb += bb_incr; ++ bb_incr >>= 1; + order++; + } + return 0; +@@ -2535,7 +2537,7 @@ int ext4_mb_init(struct super_block *sb) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + unsigned i, j; +- unsigned offset; ++ unsigned offset, offset_incr; + unsigned max; + int ret; + +@@ -2564,11 +2566,13 @@ int ext4_mb_init(struct super_block *sb) + + i = 1; + offset = 0; ++ offset_incr = 1 << (sb->s_blocksize_bits - 1); + max = sb->s_blocksize << 2; + do { + sbi->s_mb_offsets[i] = offset; + sbi->s_mb_maxs[i] = max; +- offset += 1 << (sb->s_blocksize_bits - i); ++ offset += offset_incr; ++ offset_incr = offset_incr >> 1; + max = max >> 1; + i++; + } while (i <= sb->s_blocksize_bits + 1); +diff --git a/fs/pipe.c b/fs/pipe.c +index 46f1ab264a4c..a03801186366 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, + void *addr; + size_t chars = buf->len, remaining; + int error, atomic; ++ int offset; + + if (chars > total_len) + chars = total_len; +@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, + + atomic = !iov_fault_in_pages_write(iov, chars); + remaining = chars; ++ offset = buf->offset; + redo: + addr = ops->map(pipe, buf, atomic); +- error = pipe_iov_copy_to_user(iov, addr, &buf->offset, ++ error = pipe_iov_copy_to_user(iov, addr, &offset, + &remaining, atomic); + ops->unmap(pipe, buf, addr); + if (unlikely(error)) { +@@ -432,6 +434,7 @@ redo: + break; + } + ret += chars; ++ buf->offset += chars; + buf->len -= chars; + + /* Was it a packet buffer? Clean up and exit */ +diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c +index 5d90b8db0ac7..fb8579d35cd4 100644 +--- a/fs/xfs/xfs_inode.c ++++ b/fs/xfs/xfs_inode.c +@@ -2923,13 +2923,14 @@ xfs_iflush_cluster( + * We need to check under the i_flags_lock for a valid inode + * here. Skip it if it is not valid or the wrong inode. + */ +- spin_lock(&ip->i_flags_lock); +- if (!ip->i_ino || ++ spin_lock(&iq->i_flags_lock); ++ if (!iq->i_ino || ++ __xfs_iflags_test(iq, XFS_ISTALE) || + (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) { +- spin_unlock(&ip->i_flags_lock); ++ spin_unlock(&iq->i_flags_lock); + continue; + } +- spin_unlock(&ip->i_flags_lock); ++ spin_unlock(&iq->i_flags_lock); + + /* + * Do an un-protected check to see if the inode is dirty and +@@ -3045,7 +3046,7 @@ xfs_iflush( + struct xfs_buf **bpp) + { + struct xfs_mount *mp = ip->i_mount; +- struct xfs_buf *bp; ++ struct xfs_buf *bp = NULL; + struct xfs_dinode *dip; + int error; + +@@ -3087,14 +3088,22 @@ xfs_iflush( + } + + /* +- * Get the buffer containing the on-disk inode. ++ * Get the buffer containing the on-disk inode. We are doing a try-lock ++ * operation here, so we may get an EAGAIN error. In that case, we ++ * simply want to return with the inode still dirty. ++ * ++ * If we get any other error, we effectively have a corruption situation ++ * and we cannot flush the inode, so we treat it the same as failing ++ * xfs_iflush_int(). + */ + error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK, + 0); +- if (error || !bp) { ++ if (error == -EAGAIN) { + xfs_ifunlock(ip); + return error; + } ++ if (error) ++ goto corrupt_out; + + /* + * First flush out the inode that xfs_iflush was called with. +@@ -3122,7 +3131,8 @@ xfs_iflush( + return 0; + + corrupt_out: +- xfs_buf_relse(bp); ++ if (bp) ++ xfs_buf_relse(bp); + xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); + cluster_corrupt_out: + error = XFS_ERROR(EFSCORRUPTED); +diff --git a/lib/dma-debug.c b/lib/dma-debug.c +index 1cbfc16d0b37..1ba298a9e15d 100644 +--- a/lib/dma-debug.c ++++ b/lib/dma-debug.c +@@ -646,9 +646,9 @@ static struct dma_debug_entry *dma_entry_alloc(void) + spin_lock_irqsave(&free_entries_lock, flags); + + if (list_empty(&free_entries)) { +- pr_err("DMA-API: debugging out of memory - disabling\n"); + global_disable = true; + spin_unlock_irqrestore(&free_entries_lock, flags); ++ pr_err("DMA-API: debugging out of memory - disabling\n"); + return NULL; + } + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 0f73f4507746..ae9b1fe46f8f 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -855,8 +855,8 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct g + goto out; + if (svc_getnl(&buf->head[0]) != seq) + goto out; +- /* trim off the mic at the end before returning */ +- xdr_buf_trim(buf, mic.len + 4); ++ /* trim off the mic and padding at the end before returning */ ++ xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4); + stat = 0; + out: + kfree(mic.data); diff --git a/patch/kernel/cubox-dev/patch-3.14.72-73.patch b/patch/kernel/cubox-dev/patch-3.14.72-73.patch new file mode 100644 index 000000000..c43abbc67 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.72-73.patch @@ -0,0 +1,2837 @@ +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt +index 88152f214f48..302b5ed616a6 100644 +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: + - nr_open + - overflowuid + - overflowgid ++- pipe-user-pages-hard ++- pipe-user-pages-soft + - protected_hardlinks + - protected_symlinks + - suid_dumpable +@@ -159,6 +161,27 @@ The default is 65534. + + ============================================================== + ++pipe-user-pages-hard: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes. ++Once this limit is reached, no new pipes may be allocated until usage goes ++below the limit again. When set to 0, no limit is applied, which is the default ++setting. ++ ++============================================================== ++ ++pipe-user-pages-soft: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes ++before the pipe size gets limited to a single page. Once this limit is reached, ++new pipes will be limited to a single page in size for this user in order to ++limit total memory usage, and trying to increase them using fcntl() will be ++denied until usage goes below the limit again. The default value allows to ++allocate up to 1024 pipes at their default size. When set to 0, no limit is ++applied. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based +diff --git a/Makefile b/Makefile +index 6155aaf6342a..939dfae7bb5f 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 72 ++SUBLEVEL = 73 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index 0dd3b79b15c3..ec33df500f86 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *target, + if (ret) + return ret; + +- vfp_flush_hwstate(thread); + thread->vfpstate.hard = new_vfp; ++ vfp_flush_hwstate(thread); + + return 0; + } +diff --git a/arch/mips/include/asm/processor.h b/arch/mips/include/asm/processor.h +index 3605b844ad87..efe9964ea9b4 100644 +--- a/arch/mips/include/asm/processor.h ++++ b/arch/mips/include/asm/processor.h +@@ -51,7 +51,7 @@ extern unsigned int vced_count, vcei_count; + * User space process size: 2GB. This is hardcoded into a few places, + * so don't change it unless you know what you are doing. + */ +-#define TASK_SIZE 0x7fff8000UL ++#define TASK_SIZE 0x80000000UL + #endif + + #ifdef __KERNEL__ +diff --git a/arch/parisc/kernel/unaligned.c b/arch/parisc/kernel/unaligned.c +index d7c0acb35ec2..8d49614d600d 100644 +--- a/arch/parisc/kernel/unaligned.c ++++ b/arch/parisc/kernel/unaligned.c +@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *regs) + break; + } + +- if (modify && R1(regs->iir)) ++ if (ret == 0 && modify && R1(regs->iir)) + regs->gr[R1(regs->iir)] = newbase; + + +@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *regs) + + if (ret) + { ++ /* ++ * The unaligned handler failed. ++ * If we were called by __get_user() or __put_user() jump ++ * to it's exception fixup handler instead of crashing. ++ */ ++ if (!user_mode(regs) && fixup_exception(regs)) ++ return; ++ + printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret); + die_if_kernel("Unaligned data reference", regs, 28); + +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index 92c538d5ed19..940b15703885 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -680,7 +680,7 @@ + #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */ + #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */ + #define SPRN_MMCR1 798 +-#define SPRN_MMCR2 769 ++#define SPRN_MMCR2 785 + #define SPRN_MMCRA 0x312 + #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */ + #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL +@@ -715,13 +715,13 @@ + #define SPRN_PMC6 792 + #define SPRN_PMC7 793 + #define SPRN_PMC8 794 +-#define SPRN_SIAR 780 +-#define SPRN_SDAR 781 + #define SPRN_SIER 784 + #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */ + #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */ + #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */ + #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */ ++#define SPRN_SIAR 796 ++#define SPRN_SDAR 797 + #define SPRN_TACR 888 + #define SPRN_TCSCR 889 + #define SPRN_CSIGR 890 +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c +index 83da53fde6b5..6700b83b7259 100644 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -615,29 +615,50 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe) + { + int config_addr; + int ret; ++ /* Waiting 0.2s maximum before skipping configuration */ ++ int max_wait = 200; + + /* Figure out the PE address */ + config_addr = pe->config_addr; + if (pe->addr) + config_addr = pe->addr; + +- /* Use new configure-pe function, if supported */ +- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) { +- ret = rtas_call(ibm_configure_pe, 3, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid)); +- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) { +- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid)); +- } else { +- return -EFAULT; +- } ++ while (max_wait > 0) { ++ /* Use new configure-pe function, if supported */ ++ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) { ++ ret = rtas_call(ibm_configure_pe, 3, 1, NULL, ++ config_addr, BUID_HI(pe->phb->buid), ++ BUID_LO(pe->phb->buid)); ++ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) { ++ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL, ++ config_addr, BUID_HI(pe->phb->buid), ++ BUID_LO(pe->phb->buid)); ++ } else { ++ return -EFAULT; ++ } + +- if (ret) +- pr_warning("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n", +- __func__, pe->phb->global_number, pe->addr, ret); ++ if (!ret) ++ return ret; ++ ++ /* ++ * If RTAS returns a delay value that's above 100ms, cut it ++ * down to 100ms in case firmware made a mistake. For more ++ * on how these delay values work see rtas_busy_delay_time ++ */ ++ if (ret > RTAS_EXTENDED_DELAY_MIN+2 && ++ ret <= RTAS_EXTENDED_DELAY_MAX) ++ ret = RTAS_EXTENDED_DELAY_MIN+2; ++ ++ max_wait -= rtas_busy_delay_time(ret); ++ ++ if (max_wait < 0) ++ break; ++ ++ rtas_busy_delay(ret); ++ } + ++ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n", ++ __func__, pe->phb->global_number, pe->addr, ret); + return ret; + } + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 8db66424be97..6cb4ce77df19 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3029,6 +3029,11 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, + if (dbgregs->flags) + return -EINVAL; + ++ if (dbgregs->dr6 & ~0xffffffffull) ++ return -EINVAL; ++ if (dbgregs->dr7 & ~0xffffffffull) ++ return -EINVAL; ++ + memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db)); + vcpu->arch.dr6 = dbgregs->dr6; + kvm_update_dr6(vcpu); +diff --git a/drivers/crypto/ccp/ccp-crypto-aes-xts.c b/drivers/crypto/ccp/ccp-crypto-aes-xts.c +index 0237ab58f242..a39ee43d1a79 100644 +--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c +@@ -123,6 +123,7 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req, + struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm); + struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req); + unsigned int unit; ++ u32 unit_size; + int ret; + + if (!ctx->u.aes.key_len) +@@ -134,11 +135,17 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req, + if (!req->info) + return -EINVAL; + +- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) +- if (!(req->nbytes & (unit_size_map[unit].size - 1))) +- break; ++ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST; ++ if (req->nbytes <= unit_size_map[0].size) { ++ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) { ++ if (!(req->nbytes & (unit_size_map[unit].size - 1))) { ++ unit_size = unit_size_map[unit].value; ++ break; ++ } ++ } ++ } + +- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) || ++ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) || + (ctx->u.aes.key_len != AES_KEYSIZE_128)) { + /* Use the fallback to process the request for any + * unsupported unit sizes or key sizes +@@ -159,7 +166,7 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req, + rctx->cmd.engine = CCP_ENGINE_XTS_AES_128; + rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT + : CCP_AES_ACTION_DECRYPT; +- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value; ++ rctx->cmd.u.xts.unit_size = unit_size; + rctx->cmd.u.xts.key = &ctx->u.aes.key_sg; + rctx->cmd.u.xts.key_len = ctx->u.aes.key_len; + rctx->cmd.u.xts.iv = &rctx->iv_sg; +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 7645a3ce3854..b2af06444c2d 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -451,6 +451,17 @@ fail: + return rc; + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++ struct efx_channel *channel; ++ struct efx_tx_queue *tx_queue; ++ ++ /* All our existing PIO buffers went away */ ++ efx_for_each_channel(channel, efx) ++ efx_for_each_channel_tx_queue(tx_queue, channel) ++ tx_queue->piobuf = NULL; ++} ++ + #else /* !EFX_USE_PIO */ + + static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n) +@@ -467,6 +478,10 @@ static void efx_ef10_free_piobufs(struct efx_nic *efx) + { + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++} ++ + #endif /* EFX_USE_PIO */ + + static void efx_ef10_remove(struct efx_nic *efx) +@@ -698,6 +713,7 @@ static void efx_ef10_reset_mc_allocations(struct efx_nic *efx) + nic_data->must_realloc_vis = true; + nic_data->must_restore_filters = true; + nic_data->must_restore_piobufs = true; ++ efx_ef10_forget_old_piobufs(efx); + nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID; + } + +diff --git a/fs/dcache.c b/fs/dcache.c +index 9b235362efcd..47c06888dc05 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1500,7 +1500,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name) + struct dentry *dentry = __d_alloc(parent->d_sb, name); + if (!dentry) + return NULL; +- ++ dentry->d_flags |= DCACHE_RCUACCESS; + spin_lock(&parent->d_lock); + /* + * don't need child lock because it is not subject +@@ -2352,7 +2352,6 @@ static void __d_rehash(struct dentry * entry, struct hlist_bl_head *b) + { + BUG_ON(!d_unhashed(entry)); + hlist_bl_lock(b); +- entry->d_flags |= DCACHE_RCUACCESS; + hlist_bl_add_head_rcu(&entry->d_hash, b); + hlist_bl_unlock(b); + } +@@ -2536,6 +2535,7 @@ static void __d_move(struct dentry * dentry, struct dentry * target) + + /* ... and switch the parents */ + if (IS_ROOT(dentry)) { ++ dentry->d_flags |= DCACHE_RCUACCESS; + dentry->d_parent = target->d_parent; + target->d_parent = target; + INIT_LIST_HEAD(&target->d_child); +diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c +index f1ea610362c6..9b661a4ccee7 100644 +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file, + flags |= IS_RDONLY(lower_dentry->d_inode) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto out; ++ goto have_file; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file, + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) ++ if (IS_ERR(*lower_file)) { + rc = PTR_ERR(*lower_file); ++ goto out; ++ } ++have_file: ++ if ((*lower_file)->f_op->mmap == NULL) { ++ fput(*lower_file); ++ *lower_file = NULL; ++ rc = -EMEDIUMTYPE; ++ } + out: + return rc; + } +diff --git a/fs/pipe.c b/fs/pipe.c +index a03801186366..fff8057a0809 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -39,6 +39,12 @@ unsigned int pipe_max_size = 1048576; + */ + unsigned int pipe_min_size = PAGE_SIZE; + ++/* Maximum allocatable pages per user. Hard limit is unset by default, soft ++ * matches default values. ++ */ ++unsigned long pipe_user_pages_hard; ++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR; ++ + /* + * We use a start+len construction, which provides full use of the + * allocated memory. +@@ -795,20 +801,49 @@ pipe_fasync(int fd, struct file *filp, int on) + return retval; + } + ++static void account_pipe_buffers(struct pipe_inode_info *pipe, ++ unsigned long old, unsigned long new) ++{ ++ atomic_long_add(new - old, &pipe->user->pipe_bufs); ++} ++ ++static bool too_many_pipe_buffers_soft(struct user_struct *user) ++{ ++ return pipe_user_pages_soft && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft; ++} ++ ++static bool too_many_pipe_buffers_hard(struct user_struct *user) ++{ ++ return pipe_user_pages_hard && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard; ++} ++ + struct pipe_inode_info *alloc_pipe_info(void) + { + struct pipe_inode_info *pipe; + + pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL); + if (pipe) { +- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL); ++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS; ++ struct user_struct *user = get_current_user(); ++ ++ if (!too_many_pipe_buffers_hard(user)) { ++ if (too_many_pipe_buffers_soft(user)) ++ pipe_bufs = 1; ++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL); ++ } ++ + if (pipe->bufs) { + init_waitqueue_head(&pipe->wait); + pipe->r_counter = pipe->w_counter = 1; +- pipe->buffers = PIPE_DEF_BUFFERS; ++ pipe->buffers = pipe_bufs; ++ pipe->user = user; ++ account_pipe_buffers(pipe, 0, pipe_bufs); + mutex_init(&pipe->mutex); + return pipe; + } ++ free_uid(user); + kfree(pipe); + } + +@@ -819,6 +854,8 @@ void free_pipe_info(struct pipe_inode_info *pipe) + { + int i; + ++ account_pipe_buffers(pipe, pipe->buffers, 0); ++ free_uid(pipe->user); + for (i = 0; i < pipe->buffers; i++) { + struct pipe_buffer *buf = pipe->bufs + i; + if (buf->ops) +@@ -1209,6 +1246,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) + memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer)); + } + ++ account_pipe_buffers(pipe, pipe->buffers, nr_pages); + pipe->curbuf = 0; + kfree(pipe->bufs); + pipe->bufs = bufs; +@@ -1280,6 +1318,11 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { + ret = -EPERM; + goto out; ++ } else if ((too_many_pipe_buffers_hard(pipe->user) || ++ too_many_pipe_buffers_soft(pipe->user)) && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto out; + } + ret = pipe_set_size(pipe, nr_pages); + break; +diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c +index fb8579d35cd4..47533013a772 100644 +--- a/fs/xfs/xfs_inode.c ++++ b/fs/xfs/xfs_inode.c +@@ -3098,7 +3098,7 @@ xfs_iflush( + */ + error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK, + 0); +- if (error == -EAGAIN) { ++ if (error == EAGAIN) { + xfs_ifunlock(ip); + return error; + } +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index a3e215bb0241..7741efa43b35 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -239,11 +239,18 @@ void xt_unregister_match(struct xt_match *target); + int xt_register_matches(struct xt_match *match, unsigned int n); + void xt_unregister_matches(struct xt_match *match, unsigned int n); + ++int xt_check_entry_offsets(const void *base, const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset); ++ + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len, ++ struct xt_counters_info *info, bool compat); ++ + struct xt_table *xt_register_table(struct net *net, + const struct xt_table *table, + struct xt_table_info *bootstrap, +@@ -421,7 +428,7 @@ void xt_compat_init_offsets(u_int8_t af, unsigned int number); + int xt_compat_calc_jump(u_int8_t af, unsigned int offset); + + int xt_compat_match_offset(const struct xt_match *match); +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + unsigned int *size); + int xt_compat_match_to_user(const struct xt_entry_match *m, + void __user **dstptr, unsigned int *size); +@@ -431,6 +438,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + unsigned int *size); + int xt_compat_target_to_user(const struct xt_entry_target *t, + void __user **dstptr, unsigned int *size); ++int xt_compat_check_entry_offsets(const void *base, const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset); + + #endif /* CONFIG_COMPAT */ + #endif /* _X_TABLES_H */ +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h +index ab5752692113..b3374f63bc36 100644 +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -42,6 +42,7 @@ struct pipe_buffer { + * @fasync_readers: reader side fasync + * @fasync_writers: writer side fasync + * @bufs: the circular array of pipe buffers ++ * @user: the user who created this pipe + **/ + struct pipe_inode_info { + struct mutex mutex; +@@ -57,6 +58,7 @@ struct pipe_inode_info { + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; + struct pipe_buffer *bufs; ++ struct user_struct *user; + }; + + /* +@@ -140,6 +142,8 @@ void pipe_unlock(struct pipe_inode_info *); + void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *); + + extern unsigned int pipe_max_size, pipe_min_size; ++extern unsigned long pipe_user_pages_hard; ++extern unsigned long pipe_user_pages_soft; + int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *); + + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 7d6152a6700c..77ac8b6a5b68 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -756,6 +756,7 @@ struct user_struct { + #endif + unsigned long locked_shm; /* How many pages of mlocked shm ? */ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ + + #ifdef CONFIG_KEYS + struct key *uid_keyring; /* UID specific keyring */ +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index c1b26e176aa6..df9eab6928d9 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1668,6 +1668,20 @@ static struct ctl_table fs_table[] = { + .proc_handler = &pipe_proc_fn, + .extra1 = &pipe_min_size, + }, ++ { ++ .procname = "pipe-user-pages-hard", ++ .data = &pipe_user_pages_hard, ++ .maxlen = sizeof(pipe_user_pages_hard), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, ++ { ++ .procname = "pipe-user-pages-soft", ++ .data = &pipe_user_pages_soft, ++ .maxlen = sizeof(pipe_user_pages_soft), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, + { } + }; + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index f95b6f93814b..42155b1af373 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -355,11 +355,25 @@ unsigned int arpt_do_table(struct sk_buff *skb, + } + + /* All zeroes == unconditional rule. */ +-static inline bool unconditional(const struct arpt_arp *arp) ++static inline bool unconditional(const struct arpt_entry *e) + { + static const struct arpt_arp uncond; + +- return memcmp(arp, &uncond, sizeof(uncond)) == 0; ++ return e->target_offset == sizeof(struct arpt_entry) && ++ memcmp(&e->arp, &uncond, sizeof(uncond)) == 0; ++} ++ ++static bool find_jump_target(const struct xt_table_info *t, ++ const void *entry0, ++ const struct arpt_entry *target) ++{ ++ struct arpt_entry *iter; ++ ++ xt_entry_foreach(iter, entry0, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; + } + + /* Figures out from what hook each rule can be called: returns 0 if +@@ -398,11 +412,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); + + /* Unconditional return/END. */ +- if ((e->target_offset == sizeof(struct arpt_entry) && ++ if ((unconditional(e) && + (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0) && +- t->verdict < 0 && unconditional(&e->arp)) || +- visited) { ++ t->verdict < 0) || visited) { + unsigned int oldpos, size; + + if ((strcmp(t->target.u.user.name, +@@ -435,6 +448,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + size = e->next_offset; + e = (struct arpt_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -454,9 +469,15 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct arpt_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, entry0, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct arpt_entry *) + (entry0 + newpos); +@@ -470,25 +491,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + return 1; + } + +-static inline int check_entry(const struct arpt_entry *e, const char *name) +-{ +- const struct xt_entry_target *t; +- +- if (!arp_checkentry(&e->arp)) { +- duprintf("arp_tables: arp check failed %p %s.\n", e, name); +- return -EINVAL; +- } +- +- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset) +- return -EINVAL; +- +- t = arpt_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; +-} +- + static inline int check_target(struct arpt_entry *e, const char *name) + { + struct xt_entry_target *t = arpt_get_target(e); +@@ -518,10 +520,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) + struct xt_target *target; + int ret; + +- ret = check_entry(e, name); +- if (ret) +- return ret; +- + t = arpt_get_target(e); + target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, + t->u.user.revision); +@@ -547,7 +545,7 @@ static bool check_underflow(const struct arpt_entry *e) + const struct xt_entry_target *t; + unsigned int verdict; + +- if (!unconditional(&e->arp)) ++ if (!unconditional(e)) + return false; + t = arpt_get_target_c(e); + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) +@@ -566,9 +564,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, + unsigned int valid_hooks) + { + unsigned int h; ++ int err; + + if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 || +- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct arpt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p\n", e); + return -EINVAL; + } +@@ -580,6 +580,14 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, + return -EINVAL; + } + ++ if (!arp_checkentry(&e->arp)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); ++ if (err) ++ return err; ++ + /* Check hooks & underflows */ + for (h = 0; h < NF_ARP_NUMHOOKS; h++) { + if (!(valid_hooks & (1 << h))) +@@ -588,9 +596,9 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, + newinfo->hook_entry[h] = hook_entries[h]; + if ((unsigned char *)e - base == underflows[h]) { + if (!check_underflow(e)) { +- pr_err("Underflows must be unconditional and " +- "use the STANDARD target with " +- "ACCEPT/DROP\n"); ++ pr_debug("Underflows must be unconditional and " ++ "use the STANDARD target with " ++ "ACCEPT/DROP\n"); + return -EINVAL; + } + newinfo->underflow[h] = underflows[h]; +@@ -680,10 +688,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, + } + } + +- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) { +- duprintf("Looping hook\n"); ++ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) + return -ELOOP; +- } + + /* Finally, each sanity check must pass */ + i = 0; +@@ -1076,6 +1082,9 @@ static int do_replace(struct net *net, const void __user *user, + /* overflow check */ + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ if (tmp.num_counters == 0) ++ return -EINVAL; ++ + tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); +@@ -1116,56 +1125,18 @@ static int do_add_counters(struct net *net, const void __user *user, + unsigned int i, curcpu; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- const char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + void *loc_cpu_entry; + struct arpt_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; + +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); + +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } +- +- t = xt_find_table_lock(net, NFPROTO_ARP, name); ++ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1173,7 +1144,7 @@ static int do_add_counters(struct net *net, const void __user *user, + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +@@ -1199,6 +1170,18 @@ static int do_add_counters(struct net *net, const void __user *user, + } + + #ifdef CONFIG_COMPAT ++struct compat_arpt_replace { ++ char name[XT_TABLE_MAXNAMELEN]; ++ u32 valid_hooks; ++ u32 num_entries; ++ u32 size; ++ u32 hook_entry[NF_ARP_NUMHOOKS]; ++ u32 underflow[NF_ARP_NUMHOOKS]; ++ u32 num_counters; ++ compat_uptr_t counters; ++ struct compat_arpt_entry entries[0]; ++}; ++ + static inline void compat_release_entry(struct compat_arpt_entry *e) + { + struct xt_entry_target *t; +@@ -1207,24 +1190,22 @@ static inline void compat_release_entry(struct compat_arpt_entry *e) + module_put(t->u.kernel.target->me); + } + +-static inline int ++static int + check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned char *limit) + { + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || +- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p, limit = %p\n", e, limit); + return -EINVAL; + } +@@ -1236,8 +1217,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct arpt_entry *)e, name); ++ if (!arp_checkentry(&e->arp)) ++ return -EINVAL; ++ ++ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); + if (ret) + return ret; + +@@ -1261,17 +1245,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + if (ret) + goto release_target; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_ARP_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + release_target: +@@ -1280,18 +1253,17 @@ out: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; + struct xt_target *target; + struct arpt_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + +- ret = 0; + origsize = *size; + de = (struct arpt_entry *)*dstptr; + memcpy(de, e, sizeof(struct arpt_entry)); +@@ -1312,144 +1284,81 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; + } + +-static int translate_compat_table(const char *name, +- unsigned int valid_hooks, +- struct xt_table_info **pinfo, ++static int translate_compat_table(struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_arpt_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_arpt_entry *iter0; +- struct arpt_entry *iter1; ++ struct arpt_replace repl; + unsigned int size; + int ret = 0; + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; +- +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } ++ size = compatr->size; ++ info->number = compatr->num_entries; + + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(NFPROTO_ARP); +- xt_compat_init_offsets(NFPROTO_ARP, number); ++ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = info->hook_entry[i]; + newinfo->underflow[i] = info->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); +- if (ret != 0) +- break; +- } ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ ++ /* all module references in entry0 are now gone */ ++ + xt_compat_flush_offsets(NFPROTO_ARP); + xt_compat_unlock(NFPROTO_ARP); +- if (ret) +- goto free_newinfo; + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = check_target(iter1, name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(arpt_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_ARP_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + +- /* And one copy for every other CPU */ +- for_each_possible_cpu(i) +- if (newinfo->entries[i] && newinfo->entries[i] != entry1) +- memcpy(newinfo->entries[i], entry1, newinfo->size); ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; + + *pinfo = newinfo; + *pentry0 = entry1; +@@ -1458,31 +1367,18 @@ static int translate_compat_table(const char *name, + + free_newinfo: + xt_free_table_info(newinfo); +-out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(NFPROTO_ARP); ++ xt_compat_unlock(NFPROTO_ARP); ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(NFPROTO_ARP); +- xt_compat_unlock(NFPROTO_ARP); +- goto out; + } + +-struct compat_arpt_replace { +- char name[XT_TABLE_MAXNAMELEN]; +- u32 valid_hooks; +- u32 num_entries; +- u32 size; +- u32 hook_entry[NF_ARP_NUMHOOKS]; +- u32 underflow[NF_ARP_NUMHOOKS]; +- u32 num_counters; +- compat_uptr_t counters; +- struct compat_arpt_entry entries[0]; +-}; +- + static int compat_do_replace(struct net *net, void __user *user, + unsigned int len) + { +@@ -1500,6 +1396,9 @@ static int compat_do_replace(struct net *net, void __user *user, + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ if (tmp.num_counters == 0) ++ return -EINVAL; ++ + tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); +@@ -1513,10 +1412,7 @@ static int compat_do_replace(struct net *net, void __user *user, + goto free_newinfo; + } + +- ret = translate_compat_table(tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 99e810f84671..82b6bc4f9167 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int offset) + + /* All zeroes == unconditional rule. */ + /* Mildly perf critical (only if packet tracing is on) */ +-static inline bool unconditional(const struct ipt_ip *ip) ++static inline bool unconditional(const struct ipt_entry *e) + { + static const struct ipt_ip uncond; + +- return memcmp(ip, &uncond, sizeof(uncond)) == 0; ++ return e->target_offset == sizeof(struct ipt_entry) && ++ memcmp(&e->ip, &uncond, sizeof(uncond)) == 0; + #undef FWINV + } + +@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, + } else if (s == e) { + (*rulenum)++; + +- if (s->target_offset == sizeof(struct ipt_entry) && ++ if (unconditional(s) && + strcmp(t->target.u.kernel.target->name, + XT_STANDARD_TARGET) == 0 && +- t->verdict < 0 && +- unconditional(&s->ip)) { ++ t->verdict < 0) { + /* Tail of chains: STANDARD target (return/policy) */ + *comment = *chainname == hookname + ? comments[NF_IP_TRACE_COMMENT_POLICY] +@@ -439,6 +439,19 @@ ipt_do_table(struct sk_buff *skb, + #endif + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const void *entry0, ++ const struct ipt_entry *target) ++{ ++ struct ipt_entry *iter; ++ ++ xt_entry_foreach(iter, entry0, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + there are loops. Puts hook bitmask in comefrom. */ + static int +@@ -472,11 +485,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); + + /* Unconditional return/END. */ +- if ((e->target_offset == sizeof(struct ipt_entry) && ++ if ((unconditional(e) && + (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0) && +- t->verdict < 0 && unconditional(&e->ip)) || +- visited) { ++ t->verdict < 0) || visited) { + unsigned int oldpos, size; + + if ((strcmp(t->target.u.user.name, +@@ -517,6 +529,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + size = e->next_offset; + e = (struct ipt_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -535,9 +549,15 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct ipt_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, entry0, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct ipt_entry *) + (entry0 + newpos); +@@ -565,27 +585,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) + } + + static int +-check_entry(const struct ipt_entry *e, const char *name) +-{ +- const struct xt_entry_target *t; +- +- if (!ip_checkentry(&e->ip)) { +- duprintf("ip check failed %p %s.\n", e, name); +- return -EINVAL; +- } +- +- if (e->target_offset + sizeof(struct xt_entry_target) > +- e->next_offset) +- return -EINVAL; +- +- t = ipt_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; +-} +- +-static int + check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) + { + const struct ipt_ip *ip = par->entryinfo; +@@ -662,10 +661,6 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, + struct xt_mtchk_param mtpar; + struct xt_entry_match *ematch; + +- ret = check_entry(e, name); +- if (ret) +- return ret; +- + j = 0; + mtpar.net = net; + mtpar.table = name; +@@ -709,7 +704,7 @@ static bool check_underflow(const struct ipt_entry *e) + const struct xt_entry_target *t; + unsigned int verdict; + +- if (!unconditional(&e->ip)) ++ if (!unconditional(e)) + return false; + t = ipt_get_target_c(e); + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) +@@ -729,9 +724,11 @@ check_entry_size_and_hooks(struct ipt_entry *e, + unsigned int valid_hooks) + { + unsigned int h; ++ int err; + + if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 || +- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct ipt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p\n", e); + return -EINVAL; + } +@@ -743,6 +740,14 @@ check_entry_size_and_hooks(struct ipt_entry *e, + return -EINVAL; + } + ++ if (!ip_checkentry(&e->ip)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); ++ if (err) ++ return err; ++ + /* Check hooks & underflows */ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if (!(valid_hooks & (1 << h))) +@@ -751,9 +756,9 @@ check_entry_size_and_hooks(struct ipt_entry *e, + newinfo->hook_entry[h] = hook_entries[h]; + if ((unsigned char *)e - base == underflows[h]) { + if (!check_underflow(e)) { +- pr_err("Underflows must be unconditional and " +- "use the STANDARD target with " +- "ACCEPT/DROP\n"); ++ pr_debug("Underflows must be unconditional and " ++ "use the STANDARD target with " ++ "ACCEPT/DROP\n"); + return -EINVAL; + } + newinfo->underflow[h] = underflows[h]; +@@ -1263,6 +1268,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) + /* overflow check */ + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ if (tmp.num_counters == 0) ++ return -EINVAL; ++ + tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); +@@ -1304,56 +1312,18 @@ do_add_counters(struct net *net, const void __user *user, + unsigned int i, curcpu; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- const char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + void *loc_cpu_entry; + struct ipt_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; +- +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; + +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); + +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } +- +- t = xt_find_table_lock(net, AF_INET, name); ++ t = xt_find_table_lock(net, AF_INET, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1361,7 +1331,7 @@ do_add_counters(struct net *net, const void __user *user, + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +@@ -1440,7 +1410,6 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr, + + static int + compat_find_calc_match(struct xt_entry_match *m, +- const char *name, + const struct ipt_ip *ip, + unsigned int hookmask, + int *size) +@@ -1476,21 +1445,19 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned char *limit) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; + unsigned int j; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || +- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p, limit = %p\n", e, limit); + return -EINVAL; + } +@@ -1502,8 +1469,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct ipt_entry *)e, name); ++ if (!ip_checkentry(&e->ip)) ++ return -EINVAL; ++ ++ ret = xt_compat_check_entry_offsets(e, e->elems, ++ e->target_offset, e->next_offset); + if (ret) + return ret; + +@@ -1511,8 +1481,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + entry_offset = (void *)e - (void *)base; + j = 0; + xt_ematch_foreach(ematch, e) { +- ret = compat_find_calc_match(ematch, name, +- &e->ip, e->comefrom, &off); ++ ret = compat_find_calc_match(ematch, &e->ip, e->comefrom, ++ &off); + if (ret != 0) + goto release_matches; + ++j; +@@ -1535,17 +1505,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + if (ret) + goto out; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_INET_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + out: +@@ -1559,19 +1518,18 @@ release_matches: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; + struct xt_target *target; + struct ipt_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + struct xt_entry_match *ematch; + +- ret = 0; + origsize = *size; + de = (struct ipt_entry *)*dstptr; + memcpy(de, e, sizeof(struct ipt_entry)); +@@ -1580,198 +1538,104 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, + *dstptr += sizeof(struct ipt_entry); + *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); + +- xt_ematch_foreach(ematch, e) { +- ret = xt_compat_match_from_user(ematch, dstptr, size); +- if (ret != 0) +- return ret; +- } ++ xt_ematch_foreach(ematch, e) ++ xt_compat_match_from_user(ematch, dstptr, size); ++ + de->target_offset = e->target_offset - (origsize - *size); + t = compat_ipt_get_target(e); + target = t->u.kernel.target; + xt_compat_target_from_user(t, dstptr, size); + + de->next_offset = e->next_offset - (origsize - *size); ++ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if ((unsigned char *)de - base < newinfo->hook_entry[h]) + newinfo->hook_entry[h] -= origsize - *size; + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; +-} +- +-static int +-compat_check_entry(struct ipt_entry *e, struct net *net, const char *name) +-{ +- struct xt_entry_match *ematch; +- struct xt_mtchk_param mtpar; +- unsigned int j; +- int ret = 0; +- +- j = 0; +- mtpar.net = net; +- mtpar.table = name; +- mtpar.entryinfo = &e->ip; +- mtpar.hook_mask = e->comefrom; +- mtpar.family = NFPROTO_IPV4; +- xt_ematch_foreach(ematch, e) { +- ret = check_match(ematch, &mtpar); +- if (ret != 0) +- goto cleanup_matches; +- ++j; +- } +- +- ret = check_target(e, net, name); +- if (ret) +- goto cleanup_matches; +- return 0; +- +- cleanup_matches: +- xt_ematch_foreach(ematch, e) { +- if (j-- == 0) +- break; +- cleanup_match(ematch, net); +- } +- return ret; + } + + static int + translate_compat_table(struct net *net, +- const char *name, +- unsigned int valid_hooks, + struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_ipt_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_ipt_entry *iter0; +- struct ipt_entry *iter1; ++ struct ipt_replace repl; + unsigned int size; + int ret; + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; +- +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } ++ size = compatr->size; ++ info->number = compatr->num_entries; + + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET); +- xt_compat_init_offsets(AF_INET, number); ++ xt_compat_init_offsets(AF_INET, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); +- if (ret != 0) +- break; +- } ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ ++ /* all module references in entry0 are now gone. ++ * entry1/newinfo contains a 64bit ruleset that looks exactly as ++ * generated by 64bit userspace. ++ * ++ * Call standard translate_table() to validate all hook_entrys, ++ * underflows, check for loops, etc. ++ */ + xt_compat_flush_offsets(AF_INET); + xt_compat_unlock(AF_INET); +- if (ret) +- goto free_newinfo; + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(ipt_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1, net); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + +- /* And one copy for every other CPU */ +- for_each_possible_cpu(i) +- if (newinfo->entries[i] && newinfo->entries[i] != entry1) +- memcpy(newinfo->entries[i], entry1, newinfo->size); ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(net, newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; + + *pinfo = newinfo; + *pentry0 = entry1; +@@ -1780,17 +1644,16 @@ translate_compat_table(struct net *net, + + free_newinfo: + xt_free_table_info(newinfo); +-out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(AF_INET); ++ xt_compat_unlock(AF_INET); ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(AF_INET); +- xt_compat_unlock(AF_INET); +- goto out; + } + + static int +@@ -1810,6 +1673,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ if (tmp.num_counters == 0) ++ return -EINVAL; ++ + tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); +@@ -1824,10 +1690,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) + goto free_newinfo; + } + +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index e080fbbbc0e5..67d5e86dd84c 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -195,11 +195,12 @@ get_entry(const void *base, unsigned int offset) + + /* All zeroes == unconditional rule. */ + /* Mildly perf critical (only if packet tracing is on) */ +-static inline bool unconditional(const struct ip6t_ip6 *ipv6) ++static inline bool unconditional(const struct ip6t_entry *e) + { + static const struct ip6t_ip6 uncond; + +- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; ++ return e->target_offset == sizeof(struct ip6t_entry) && ++ memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0; + } + + static inline const struct xt_entry_target * +@@ -255,11 +256,10 @@ get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e, + } else if (s == e) { + (*rulenum)++; + +- if (s->target_offset == sizeof(struct ip6t_entry) && ++ if (unconditional(s) && + strcmp(t->target.u.kernel.target->name, + XT_STANDARD_TARGET) == 0 && +- t->verdict < 0 && +- unconditional(&s->ipv6)) { ++ t->verdict < 0) { + /* Tail of chains: STANDARD target (return/policy) */ + *comment = *chainname == hookname + ? comments[NF_IP6_TRACE_COMMENT_POLICY] +@@ -449,6 +449,19 @@ ip6t_do_table(struct sk_buff *skb, + #endif + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const void *entry0, ++ const struct ip6t_entry *target) ++{ ++ struct ip6t_entry *iter; ++ ++ xt_entry_foreach(iter, entry0, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + there are loops. Puts hook bitmask in comefrom. */ + static int +@@ -482,11 +495,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); + + /* Unconditional return/END. */ +- if ((e->target_offset == sizeof(struct ip6t_entry) && ++ if ((unconditional(e) && + (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0) && +- t->verdict < 0 && +- unconditional(&e->ipv6)) || visited) { ++ t->verdict < 0) || visited) { + unsigned int oldpos, size; + + if ((strcmp(t->target.u.user.name, +@@ -527,6 +539,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + size = e->next_offset; + e = (struct ip6t_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -545,9 +559,15 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct ip6t_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, entry0, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct ip6t_entry *) + (entry0 + newpos); +@@ -574,27 +594,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) + module_put(par.match->me); + } + +-static int +-check_entry(const struct ip6t_entry *e, const char *name) +-{ +- const struct xt_entry_target *t; +- +- if (!ip6_checkentry(&e->ipv6)) { +- duprintf("ip_tables: ip check failed %p %s.\n", e, name); +- return -EINVAL; +- } +- +- if (e->target_offset + sizeof(struct xt_entry_target) > +- e->next_offset) +- return -EINVAL; +- +- t = ip6t_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; +-} +- + static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) + { + const struct ip6t_ip6 *ipv6 = par->entryinfo; +@@ -673,10 +672,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, + struct xt_mtchk_param mtpar; + struct xt_entry_match *ematch; + +- ret = check_entry(e, name); +- if (ret) +- return ret; +- + j = 0; + mtpar.net = net; + mtpar.table = name; +@@ -720,7 +715,7 @@ static bool check_underflow(const struct ip6t_entry *e) + const struct xt_entry_target *t; + unsigned int verdict; + +- if (!unconditional(&e->ipv6)) ++ if (!unconditional(e)) + return false; + t = ip6t_get_target_c(e); + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) +@@ -740,9 +735,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e, + unsigned int valid_hooks) + { + unsigned int h; ++ int err; + + if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 || +- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p\n", e); + return -EINVAL; + } +@@ -754,6 +751,14 @@ check_entry_size_and_hooks(struct ip6t_entry *e, + return -EINVAL; + } + ++ if (!ip6_checkentry(&e->ipv6)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); ++ if (err) ++ return err; ++ + /* Check hooks & underflows */ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if (!(valid_hooks & (1 << h))) +@@ -762,9 +767,9 @@ check_entry_size_and_hooks(struct ip6t_entry *e, + newinfo->hook_entry[h] = hook_entries[h]; + if ((unsigned char *)e - base == underflows[h]) { + if (!check_underflow(e)) { +- pr_err("Underflows must be unconditional and " +- "use the STANDARD target with " +- "ACCEPT/DROP\n"); ++ pr_debug("Underflows must be unconditional and " ++ "use the STANDARD target with " ++ "ACCEPT/DROP\n"); + return -EINVAL; + } + newinfo->underflow[h] = underflows[h]; +@@ -1273,6 +1278,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) + /* overflow check */ + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ if (tmp.num_counters == 0) ++ return -EINVAL; ++ + tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); +@@ -1314,56 +1322,17 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len, + unsigned int i, curcpu; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + const void *loc_cpu_entry; + struct ip6t_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; +- +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; + +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } +- +- t = xt_find_table_lock(net, AF_INET6, name); ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); ++ t = xt_find_table_lock(net, AF_INET6, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1372,7 +1341,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len, + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +@@ -1452,7 +1421,6 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr, + + static int + compat_find_calc_match(struct xt_entry_match *m, +- const char *name, + const struct ip6t_ip6 *ipv6, + unsigned int hookmask, + int *size) +@@ -1488,21 +1456,19 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned char *limit) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; + unsigned int j; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 || +- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p, limit = %p\n", e, limit); + return -EINVAL; + } +@@ -1514,8 +1480,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct ip6t_entry *)e, name); ++ if (!ip6_checkentry(&e->ipv6)) ++ return -EINVAL; ++ ++ ret = xt_compat_check_entry_offsets(e, e->elems, ++ e->target_offset, e->next_offset); + if (ret) + return ret; + +@@ -1523,8 +1492,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + entry_offset = (void *)e - (void *)base; + j = 0; + xt_ematch_foreach(ematch, e) { +- ret = compat_find_calc_match(ematch, name, +- &e->ipv6, e->comefrom, &off); ++ ret = compat_find_calc_match(ematch, &e->ipv6, e->comefrom, ++ &off); + if (ret != 0) + goto release_matches; + ++j; +@@ -1547,17 +1516,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + if (ret) + goto out; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_INET_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + out: +@@ -1571,18 +1529,17 @@ release_matches: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; + struct ip6t_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + struct xt_entry_match *ematch; + +- ret = 0; + origsize = *size; + de = (struct ip6t_entry *)*dstptr; + memcpy(de, e, sizeof(struct ip6t_entry)); +@@ -1591,11 +1548,9 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, + *dstptr += sizeof(struct ip6t_entry); + *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); + +- xt_ematch_foreach(ematch, e) { +- ret = xt_compat_match_from_user(ematch, dstptr, size); +- if (ret != 0) +- return ret; +- } ++ xt_ematch_foreach(ematch, e) ++ xt_compat_match_from_user(ematch, dstptr, size); ++ + de->target_offset = e->target_offset - (origsize - *size); + t = compat_ip6t_get_target(e); + xt_compat_target_from_user(t, dstptr, size); +@@ -1607,181 +1562,82 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; +-} +- +-static int compat_check_entry(struct ip6t_entry *e, struct net *net, +- const char *name) +-{ +- unsigned int j; +- int ret = 0; +- struct xt_mtchk_param mtpar; +- struct xt_entry_match *ematch; +- +- j = 0; +- mtpar.net = net; +- mtpar.table = name; +- mtpar.entryinfo = &e->ipv6; +- mtpar.hook_mask = e->comefrom; +- mtpar.family = NFPROTO_IPV6; +- xt_ematch_foreach(ematch, e) { +- ret = check_match(ematch, &mtpar); +- if (ret != 0) +- goto cleanup_matches; +- ++j; +- } +- +- ret = check_target(e, net, name); +- if (ret) +- goto cleanup_matches; +- return 0; +- +- cleanup_matches: +- xt_ematch_foreach(ematch, e) { +- if (j-- == 0) +- break; +- cleanup_match(ematch, net); +- } +- return ret; + } + + static int + translate_compat_table(struct net *net, +- const char *name, +- unsigned int valid_hooks, + struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_ip6t_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_ip6t_entry *iter0; +- struct ip6t_entry *iter1; ++ struct ip6t_replace repl; + unsigned int size; + int ret = 0; + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; +- +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } ++ size = compatr->size; ++ info->number = compatr->num_entries; + + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET6); +- xt_compat_init_offsets(AF_INET6, number); ++ xt_compat_init_offsets(AF_INET6, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); +- if (ret != 0) +- break; +- } ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ ++ /* all module references in entry0 are now gone. */ + xt_compat_flush_offsets(AF_INET6); + xt_compat_unlock(AF_INET6); +- if (ret) +- goto free_newinfo; + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(ip6t_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1, net); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + +- /* And one copy for every other CPU */ +- for_each_possible_cpu(i) +- if (newinfo->entries[i] && newinfo->entries[i] != entry1) +- memcpy(newinfo->entries[i], entry1, newinfo->size); ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(net, newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; + + *pinfo = newinfo; + *pentry0 = entry1; +@@ -1790,17 +1646,16 @@ translate_compat_table(struct net *net, + + free_newinfo: + xt_free_table_info(newinfo); +-out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(AF_INET6); ++ xt_compat_unlock(AF_INET6); ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(AF_INET6); +- xt_compat_unlock(AF_INET6); +- goto out; + } + + static int +@@ -1820,6 +1675,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ if (tmp.num_counters == 0) ++ return -EINVAL; ++ + tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); +@@ -1834,10 +1692,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) + goto free_newinfo; + } + +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b50ae296537d..038304f796d8 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1783,7 +1783,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) + destp = ntohs(inet->inet_dport); + srcp = ntohs(inet->inet_sport); + +- if (icsk->icsk_pending == ICSK_TIME_RETRANS) { ++ if (icsk->icsk_pending == ICSK_TIME_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) { + timer_active = 1; + timer_expires = icsk->icsk_timeout; + } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) { +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 227aa11e8409..1393af786e15 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -435,6 +435,47 @@ int xt_check_match(struct xt_mtchk_param *par, + } + EXPORT_SYMBOL_GPL(xt_check_match); + ++/** xt_check_entry_match - check that matches end before start of target ++ * ++ * @match: beginning of xt_entry_match ++ * @target: beginning of this rules target (alleged end of matches) ++ * @alignment: alignment requirement of match structures ++ * ++ * Validates that all matches add up to the beginning of the target, ++ * and that each match covers at least the base structure size. ++ * ++ * Return: 0 on success, negative errno on failure. ++ */ ++static int xt_check_entry_match(const char *match, const char *target, ++ const size_t alignment) ++{ ++ const struct xt_entry_match *pos; ++ int length = target - match; ++ ++ if (length == 0) /* no matches */ ++ return 0; ++ ++ pos = (struct xt_entry_match *)match; ++ do { ++ if ((unsigned long)pos % alignment) ++ return -EINVAL; ++ ++ if (length < (int)sizeof(struct xt_entry_match)) ++ return -EINVAL; ++ ++ if (pos->u.match_size < sizeof(struct xt_entry_match)) ++ return -EINVAL; ++ ++ if (pos->u.match_size > length) ++ return -EINVAL; ++ ++ length -= pos->u.match_size; ++ pos = ((void *)((char *)(pos) + (pos)->u.match_size)); ++ } while (length > 0); ++ ++ return 0; ++} ++ + #ifdef CONFIG_COMPAT + int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) + { +@@ -504,13 +545,14 @@ int xt_compat_match_offset(const struct xt_match *match) + } + EXPORT_SYMBOL_GPL(xt_compat_match_offset); + +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, +- unsigned int *size) ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, ++ unsigned int *size) + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; + int pad, off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; ++ char name[sizeof(m->u.user.name)]; + + m = *dstptr; + memcpy(m, cm, sizeof(*cm)); +@@ -524,10 +566,12 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + + msize += off; + m->u.user.match_size = msize; ++ strlcpy(name, match->name, sizeof(name)); ++ module_put(match->me); ++ strncpy(m->u.user.name, name, sizeof(m->u.user.name)); + + *size += off; + *dstptr += msize; +- return 0; + } + EXPORT_SYMBOL_GPL(xt_compat_match_from_user); + +@@ -558,8 +602,125 @@ int xt_compat_match_to_user(const struct xt_entry_match *m, + return 0; + } + EXPORT_SYMBOL_GPL(xt_compat_match_to_user); ++ ++/* non-compat version may have padding after verdict */ ++struct compat_xt_standard_target { ++ struct compat_xt_entry_target t; ++ compat_uint_t verdict; ++}; ++ ++int xt_compat_check_entry_offsets(const void *base, const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset) ++{ ++ long size_of_base_struct = elems - (const char *)base; ++ const struct compat_xt_entry_target *t; ++ const char *e = base; ++ ++ if (target_offset < size_of_base_struct) ++ return -EINVAL; ++ ++ if (target_offset + sizeof(*t) > next_offset) ++ return -EINVAL; ++ ++ t = (void *)(e + target_offset); ++ if (t->u.target_size < sizeof(*t)) ++ return -EINVAL; ++ ++ if (target_offset + t->u.target_size > next_offset) ++ return -EINVAL; ++ ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && ++ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset) ++ return -EINVAL; ++ ++ /* compat_xt_entry match has less strict aligment requirements, ++ * otherwise they are identical. In case of padding differences ++ * we need to add compat version of xt_check_entry_match. ++ */ ++ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match)); ++ ++ return xt_check_entry_match(elems, base + target_offset, ++ __alignof__(struct compat_xt_entry_match)); ++} ++EXPORT_SYMBOL(xt_compat_check_entry_offsets); + #endif /* CONFIG_COMPAT */ + ++/** ++ * xt_check_entry_offsets - validate arp/ip/ip6t_entry ++ * ++ * @base: pointer to arp/ip/ip6t_entry ++ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems ++ * @target_offset: the arp/ip/ip6_t->target_offset ++ * @next_offset: the arp/ip/ip6_t->next_offset ++ * ++ * validates that target_offset and next_offset are sane and that all ++ * match sizes (if any) align with the target offset. ++ * ++ * This function does not validate the targets or matches themselves, it ++ * only tests that all the offsets and sizes are correct, that all ++ * match structures are aligned, and that the last structure ends where ++ * the target structure begins. ++ * ++ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. ++ * ++ * The arp/ip/ip6t_entry structure @base must have passed following tests: ++ * - it must point to a valid memory location ++ * - base to base + next_offset must be accessible, i.e. not exceed allocated ++ * length. ++ * ++ * A well-formed entry looks like this: ++ * ++ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry ++ * e->elems[]-----' | | ++ * matchsize | | ++ * matchsize | | ++ * | | ++ * target_offset---------------------------------' | ++ * next_offset---------------------------------------------------' ++ * ++ * elems[]: flexible array member at end of ip(6)/arpt_entry struct. ++ * This is where matches (if any) and the target reside. ++ * target_offset: beginning of target. ++ * next_offset: start of the next rule; also: size of this rule. ++ * Since targets have a minimum size, target_offset + minlen <= next_offset. ++ * ++ * Every match stores its size, sum of sizes must not exceed target_offset. ++ * ++ * Return: 0 on success, negative errno on failure. ++ */ ++int xt_check_entry_offsets(const void *base, ++ const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset) ++{ ++ long size_of_base_struct = elems - (const char *)base; ++ const struct xt_entry_target *t; ++ const char *e = base; ++ ++ /* target start is within the ip/ip6/arpt_entry struct */ ++ if (target_offset < size_of_base_struct) ++ return -EINVAL; ++ ++ if (target_offset + sizeof(*t) > next_offset) ++ return -EINVAL; ++ ++ t = (void *)(e + target_offset); ++ if (t->u.target_size < sizeof(*t)) ++ return -EINVAL; ++ ++ if (target_offset + t->u.target_size > next_offset) ++ return -EINVAL; ++ ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && ++ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset) ++ return -EINVAL; ++ ++ return xt_check_entry_match(elems, base + target_offset, ++ __alignof__(struct xt_entry_match)); ++} ++EXPORT_SYMBOL(xt_check_entry_offsets); ++ + int xt_check_target(struct xt_tgchk_param *par, + unsigned int size, u_int8_t proto, bool inv_proto) + { +@@ -610,6 +771,80 @@ int xt_check_target(struct xt_tgchk_param *par, + } + EXPORT_SYMBOL_GPL(xt_check_target); + ++/** ++ * xt_copy_counters_from_user - copy counters and metadata from userspace ++ * ++ * @user: src pointer to userspace memory ++ * @len: alleged size of userspace memory ++ * @info: where to store the xt_counters_info metadata ++ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel ++ * ++ * Copies counter meta data from @user and stores it in @info. ++ * ++ * vmallocs memory to hold the counters, then copies the counter data ++ * from @user to the new memory and returns a pointer to it. ++ * ++ * If @compat is true, @info gets converted automatically to the 64bit ++ * representation. ++ * ++ * The metadata associated with the counters is stored in @info. ++ * ++ * Return: returns pointer that caller has to test via IS_ERR(). ++ * If IS_ERR is false, caller has to vfree the pointer. ++ */ ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len, ++ struct xt_counters_info *info, bool compat) ++{ ++ void *mem; ++ u64 size; ++ ++#ifdef CONFIG_COMPAT ++ if (compat) { ++ /* structures only differ in size due to alignment */ ++ struct compat_xt_counters_info compat_tmp; ++ ++ if (len <= sizeof(compat_tmp)) ++ return ERR_PTR(-EINVAL); ++ ++ len -= sizeof(compat_tmp); ++ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) ++ return ERR_PTR(-EFAULT); ++ ++ strlcpy(info->name, compat_tmp.name, sizeof(info->name)); ++ info->num_counters = compat_tmp.num_counters; ++ user += sizeof(compat_tmp); ++ } else ++#endif ++ { ++ if (len <= sizeof(*info)) ++ return ERR_PTR(-EINVAL); ++ ++ len -= sizeof(*info); ++ if (copy_from_user(info, user, sizeof(*info)) != 0) ++ return ERR_PTR(-EFAULT); ++ ++ info->name[sizeof(info->name) - 1] = '\0'; ++ user += sizeof(*info); ++ } ++ ++ size = sizeof(struct xt_counters); ++ size *= info->num_counters; ++ ++ if (size != (u64)len) ++ return ERR_PTR(-EINVAL); ++ ++ mem = vmalloc(len); ++ if (!mem) ++ return ERR_PTR(-ENOMEM); ++ ++ if (copy_from_user(mem, user, len) == 0) ++ return mem; ++ ++ vfree(mem); ++ return ERR_PTR(-EFAULT); ++} ++EXPORT_SYMBOL_GPL(xt_copy_counters_from_user); ++ + #ifdef CONFIG_COMPAT + int xt_compat_target_offset(const struct xt_target *target) + { +@@ -625,6 +860,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; + int pad, off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; ++ char name[sizeof(t->u.user.name)]; + + t = *dstptr; + memcpy(t, ct, sizeof(*ct)); +@@ -638,6 +874,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + + tsize += off; + t->u.user.target_size = tsize; ++ strlcpy(name, target->name, sizeof(name)); ++ module_put(target->me); ++ strncpy(t->u.user.name, name, sizeof(t->u.user.name)); + + *size += off; + *dstptr += tsize; +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index fd9373c9f057..d6231f219edc 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2651,6 +2651,7 @@ static int netlink_dump(struct sock *sk) + struct netlink_callback *cb; + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; ++ struct module *module; + int len, err = -ENOBUFS; + int alloc_size; + +@@ -2700,9 +2701,11 @@ static int netlink_dump(struct sock *sk) + cb->done(cb); + + nlk->cb_running = false; ++ module = cb->module; ++ skb = cb->skb; + mutex_unlock(nlk->cb_mutex); +- module_put(cb->module); +- consume_skb(cb->skb); ++ module_put(module); ++ consume_skb(skb); + return 0; + + errout_skb: +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 87dd619fb2e9..1c9a505b7019 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -954,8 +954,29 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr, + return private(dev, iwr, cmd, info, handler); + } + /* Old driver API : call driver ioctl handler */ +- if (dev->netdev_ops->ndo_do_ioctl) +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); ++ if (dev->netdev_ops->ndo_do_ioctl) { ++#ifdef CONFIG_COMPAT ++ if (info->flags & IW_REQUEST_FLAG_COMPAT) { ++ int ret = 0; ++ struct iwreq iwr_lcl; ++ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data; ++ ++ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq)); ++ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer); ++ iwr_lcl.u.data.length = iwp_compat->length; ++ iwr_lcl.u.data.flags = iwp_compat->flags; ++ ++ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd); ++ ++ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer); ++ iwp_compat->length = iwr_lcl.u.data.length; ++ iwp_compat->flags = iwr_lcl.u.data.flags; ++ ++ return ret; ++ } else ++#endif ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); ++ } + return -EOPNOTSUPP; + } + diff --git a/patch/kernel/cubox-dev/patch-3.14.73-74.patch b/patch/kernel/cubox-dev/patch-3.14.73-74.patch new file mode 100644 index 000000000..1cc5a752c --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.73-74.patch @@ -0,0 +1,1456 @@ +diff --git a/Documentation/scsi/scsi_eh.txt b/Documentation/scsi/scsi_eh.txt +index a0c85110a07e..689ab9b9953a 100644 +--- a/Documentation/scsi/scsi_eh.txt ++++ b/Documentation/scsi/scsi_eh.txt +@@ -263,19 +263,23 @@ scmd->allowed. + + 3. scmd recovered + ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd +- - shost->host_failed-- + - clear scmd->eh_eflags + - scsi_setup_cmd_retry() + - move from local eh_work_q to local eh_done_q + LOCKING: none ++ CONCURRENCY: at most one thread per separate eh_work_q to ++ keep queue manipulation lockless + + 4. EH completes + ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper +- layer of failure. ++ layer of failure. May be called concurrently but must have ++ a no more than one thread per separate eh_work_q to ++ manipulate the queue locklessly + - scmd is removed from eh_done_q and scmd->eh_entry is cleared + - if retry is necessary, scmd is requeued using + scsi_queue_insert() + - otherwise, scsi_finish_command() is invoked for scmd ++ - zero shost->host_failed + LOCKING: queue or finish function performs appropriate locking + + +diff --git a/Makefile b/Makefile +index 939dfae7bb5f..d2fb4dae6ecb 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 73 ++SUBLEVEL = 74 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h +index 219ac88a9542..bed6c8fa54b5 100644 +--- a/arch/arm/include/asm/pgtable-2level.h ++++ b/arch/arm/include/asm/pgtable-2level.h +@@ -163,6 +163,7 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr) + + #define pmd_large(pmd) (pmd_val(pmd) & 2) + #define pmd_bad(pmd) (pmd_val(pmd) & 2) ++#define pmd_present(pmd) (pmd_val(pmd)) + + #define copy_pmd(pmdpd,pmdps) \ + do { \ +diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h +index 06e0bc0f8b00..ab7ee9205ca4 100644 +--- a/arch/arm/include/asm/pgtable-3level.h ++++ b/arch/arm/include/asm/pgtable-3level.h +@@ -212,6 +212,7 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr) + : !!(pmd_val(pmd) & (val))) + #define pmd_isclear(pmd, val) (!(pmd_val(pmd) & (val))) + ++#define pmd_present(pmd) (pmd_isset((pmd), L_PMD_SECT_VALID)) + #define pmd_young(pmd) (pmd_isset((pmd), PMD_SECT_AF)) + + #define __HAVE_ARCH_PMD_WRITE +diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h +index 89dba131703b..9a9701815b57 100644 +--- a/arch/arm/include/asm/pgtable.h ++++ b/arch/arm/include/asm/pgtable.h +@@ -182,7 +182,6 @@ extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; + #define pgd_offset_k(addr) pgd_offset(&init_mm, addr) + + #define pmd_none(pmd) (!pmd_val(pmd)) +-#define pmd_present(pmd) (pmd_val(pmd)) + + static inline pte_t *pmd_page_vaddr(pmd_t pmd) + { +diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +index a995fce87791..3ff5b4921b76 100644 +--- a/arch/mips/include/asm/kvm_host.h ++++ b/arch/mips/include/asm/kvm_host.h +@@ -342,6 +342,7 @@ struct kvm_mips_tlb { + #define KVM_MIPS_GUEST_TLB_SIZE 64 + struct kvm_vcpu_arch { + void *host_ebase, *guest_ebase; ++ int (*vcpu_run)(struct kvm_run *run, struct kvm_vcpu *vcpu); + unsigned long host_stack; + unsigned long host_gp; + +diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S +index ba5ce99c021d..d1fa2a57218b 100644 +--- a/arch/mips/kvm/kvm_locore.S ++++ b/arch/mips/kvm/kvm_locore.S +@@ -229,6 +229,7 @@ FEXPORT(__kvm_mips_load_k0k1) + + /* Jump to guest */ + eret ++EXPORT(__kvm_mips_vcpu_run_end) + + VECTOR(MIPSX(exception), unknown) + /* +diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c +index 12d850b68763..2b2dd4ec03fb 100644 +--- a/arch/mips/kvm/kvm_mips.c ++++ b/arch/mips/kvm/kvm_mips.c +@@ -348,6 +348,15 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + memcpy(gebase + offset, mips32_GuestException, + mips32_GuestExceptionEnd - mips32_GuestException); + ++#ifdef MODULE ++ offset += mips32_GuestExceptionEnd - mips32_GuestException; ++ memcpy(gebase + offset, (char *)__kvm_mips_vcpu_run, ++ __kvm_mips_vcpu_run_end - (char *)__kvm_mips_vcpu_run); ++ vcpu->arch.vcpu_run = gebase + offset; ++#else ++ vcpu->arch.vcpu_run = __kvm_mips_vcpu_run; ++#endif ++ + /* Invalidate the icache for these ranges */ + mips32_SyncICache((unsigned long) gebase, ALIGN(size, PAGE_SIZE)); + +@@ -431,7 +440,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run) + + kvm_guest_enter(); + +- r = __kvm_mips_vcpu_run(run, vcpu); ++ r = vcpu->arch.vcpu_run(run, vcpu); + + kvm_guest_exit(); + local_irq_enable(); +diff --git a/arch/mips/kvm/kvm_mips_int.h b/arch/mips/kvm/kvm_mips_int.h +index 20da7d29eede..bf41ea36210e 100644 +--- a/arch/mips/kvm/kvm_mips_int.h ++++ b/arch/mips/kvm/kvm_mips_int.h +@@ -27,6 +27,8 @@ + #define MIPS_EXC_MAX 12 + /* XXXSL More to follow */ + ++extern char __kvm_mips_vcpu_run_end[]; ++ + #define C_TI (_ULCAST_(1) << 30) + + #define KVM_MIPS_IRQ_DELIVER_ALL_AT_ONCE (0) +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 6e15abf30eb8..916b3a5db859 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1237,6 +1237,16 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp) + current->thread.regs = regs - 1; + } + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* ++ * Clear any transactional state, we're exec()ing. The cause is ++ * not important as there will never be a recheckpoint so it's not ++ * user visible. ++ */ ++ if (MSR_TM_SUSPENDED(mfmsr())) ++ tm_reclaim_current(0); ++#endif ++ + memset(regs->gpr, 0, sizeof(regs->gpr)); + regs->ctr = 0; + regs->link = 0; +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index de1ec54a2a57..a2082be599c8 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -826,7 +826,8 @@ machine_arch_initcall(pseries, find_existing_ddw_windows); + static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail, + struct ddw_query_response *query) + { +- struct eeh_dev *edev; ++ struct device_node *dn; ++ struct pci_dn *pdn; + u32 cfg_addr; + u64 buid; + int ret; +@@ -837,11 +838,10 @@ static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail, + * Retrieve them from the pci device, not the node with the + * dma-window property + */ +- edev = pci_dev_to_eeh_dev(dev); +- cfg_addr = edev->config_addr; +- if (edev->pe_config_addr) +- cfg_addr = edev->pe_config_addr; +- buid = edev->phb->buid; ++ dn = pci_device_to_OF_node(dev); ++ pdn = PCI_DN(dn); ++ buid = pdn->phb->buid; ++ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8)); + + ret = rtas_call(ddw_avail[0], 3, 5, (u32 *)query, + cfg_addr, BUID_HI(buid), BUID_LO(buid)); +@@ -855,7 +855,8 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail, + struct ddw_create_response *create, int page_shift, + int window_shift) + { +- struct eeh_dev *edev; ++ struct device_node *dn; ++ struct pci_dn *pdn; + u32 cfg_addr; + u64 buid; + int ret; +@@ -866,11 +867,10 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail, + * Retrieve them from the pci device, not the node with the + * dma-window property + */ +- edev = pci_dev_to_eeh_dev(dev); +- cfg_addr = edev->config_addr; +- if (edev->pe_config_addr) +- cfg_addr = edev->pe_config_addr; +- buid = edev->phb->buid; ++ dn = pci_device_to_OF_node(dev); ++ pdn = PCI_DN(dn); ++ buid = pdn->phb->buid; ++ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8)); + + do { + /* extra outputs are LIOBN and dma-addr (hi, lo) */ +diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h +index cd29d2f4e4f3..749313b452ae 100644 +--- a/arch/s390/include/asm/syscall.h ++++ b/arch/s390/include/asm/syscall.h +@@ -54,7 +54,7 @@ static inline void syscall_set_return_value(struct task_struct *task, + struct pt_regs *regs, + int error, long val) + { +- regs->gprs[2] = error ? -error : val; ++ regs->gprs[2] = error ? error : val; + } + + static inline void syscall_get_arguments(struct task_struct *task, +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 878df7e88cd4..3ef7e11b06fb 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -156,6 +156,9 @@ isoimage: $(obj)/bzImage + for i in lib lib64 share end ; do \ + if [ -f /usr/$$i/syslinux/isolinux.bin ] ; then \ + cp /usr/$$i/syslinux/isolinux.bin $(obj)/isoimage ; \ ++ if [ -f /usr/$$i/syslinux/ldlinux.c32 ]; then \ ++ cp /usr/$$i/syslinux/ldlinux.c32 $(obj)/isoimage ; \ ++ fi ; \ + break ; \ + fi ; \ + if [ $$i = end ] ; then exit 1 ; fi ; \ +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index dec8de4e1663..0c02d794e802 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -67,8 +67,8 @@ int amd_cache_northbridges(void) + while ((misc = next_northbridge(misc, amd_nb_misc_ids)) != NULL) + i++; + +- if (i == 0) +- return 0; ++ if (!i) ++ return -ENODEV; + + nb = kzalloc(i * sizeof(struct amd_northbridge), GFP_KERNEL); + if (!nb) +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c +index 61cd5200608d..a5186a47b12f 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2606,13 +2606,13 @@ __init int intel_pmu_init(void) + * counter, so do not extend mask to generic counters + */ + for_each_event_constraint(c, x86_pmu.event_constraints) { +- if (c->cmask != FIXED_EVENT_FLAGS +- || c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) { +- continue; ++ if (c->cmask == FIXED_EVENT_FLAGS ++ && c->idxmsk64 != INTEL_PMC_MSK_FIXED_REF_CYCLES) { ++ c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; + } +- +- c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; +- c->weight += x86_pmu.num_counters; ++ c->idxmsk64 &= ++ ~(~0ULL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed)); ++ c->weight = hweight64(c->idxmsk64); + } + } + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 490fee15fea5..6cd32acb376f 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -911,7 +911,19 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr) + * normal page fault. + */ + regs->ip = (unsigned long)cur->addr; ++ /* ++ * Trap flag (TF) has been set here because this fault ++ * happened where the single stepping will be done. ++ * So clear it by resetting the current kprobe: ++ */ ++ regs->flags &= ~X86_EFLAGS_TF; ++ ++ /* ++ * If the TF flag was set before the kprobe hit, ++ * don't touch it: ++ */ + regs->flags |= kcb->kprobe_old_flags; ++ + if (kcb->kprobe_status == KPROBE_REENTER) + restore_previous_kprobe(kcb); + else +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index c6c77b767a8d..05383d644e3a 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -604,7 +604,7 @@ void ata_scsi_error(struct Scsi_Host *host) + ata_scsi_port_error_handler(host, ap); + + /* finish or retry handled scmd's and clean up */ +- WARN_ON(host->host_failed || !list_empty(&eh_work_q)); ++ WARN_ON(!list_empty(&eh_work_q)); + + DPRINTK("EXIT\n"); + } +diff --git a/drivers/base/module.c b/drivers/base/module.c +index db930d3ee312..2a215780eda2 100644 +--- a/drivers/base/module.c ++++ b/drivers/base/module.c +@@ -24,10 +24,12 @@ static char *make_driver_name(struct device_driver *drv) + + static void module_create_drivers_dir(struct module_kobject *mk) + { +- if (!mk || mk->drivers_dir) +- return; ++ static DEFINE_MUTEX(drivers_dir_mutex); + +- mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); ++ mutex_lock(&drivers_dir_mutex); ++ if (mk && !mk->drivers_dir) ++ mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); ++ mutex_unlock(&drivers_dir_mutex); + } + + void module_add_driver(struct module *mod, struct device_driver *drv) +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index 8e5e0187506f..3ff21c3e9ab2 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -797,7 +797,7 @@ static int hash_process_data(struct hash_device_data *device_data, + &device_data->state); + memmove(req_ctx->state.buffer, + device_data->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, + "%s: hash_resume_state() failed!\n", +@@ -848,7 +848,7 @@ static int hash_process_data(struct hash_device_data *device_data, + + memmove(device_data->state.buffer, + req_ctx->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, "%s: hash_save_state() failed!\n", + __func__); +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 0a9d1fd32994..d30aba867a3a 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -5590,12 +5590,14 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + struct drm_i915_private *dev_priv = dev->dev_private; + struct drm_mode_config *mode_config = &dev->mode_config; + struct intel_encoder *encoder; ++ int i; + u32 val, final; + bool has_lvds = false; + bool has_cpu_edp = false; + bool has_panel = false; + bool has_ck505 = false; + bool can_ssc = false; ++ bool using_ssc_source = false; + + /* We need to take the global config into account */ + list_for_each_entry(encoder, &mode_config->encoder_list, +@@ -5621,8 +5623,22 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + can_ssc = true; + } + +- DRM_DEBUG_KMS("has_panel %d has_lvds %d has_ck505 %d\n", +- has_panel, has_lvds, has_ck505); ++ /* Check if any DPLLs are using the SSC source */ ++ for (i = 0; i < dev_priv->num_shared_dpll; i++) { ++ u32 temp = I915_READ(PCH_DPLL(i)); ++ ++ if (!(temp & DPLL_VCO_ENABLE)) ++ continue; ++ ++ if ((temp & PLL_REF_INPUT_MASK) == ++ PLLB_REF_INPUT_SPREADSPECTRUMIN) { ++ using_ssc_source = true; ++ break; ++ } ++ } ++ ++ DRM_DEBUG_KMS("has_panel %d has_lvds %d has_ck505 %d using_ssc_source %d\n", ++ has_panel, has_lvds, has_ck505, using_ssc_source); + + /* Ironlake: try to setup display ref clock before DPLL + * enabling. This is only under driver's control after +@@ -5659,9 +5675,9 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + final |= DREF_CPU_SOURCE_OUTPUT_NONSPREAD; + } else + final |= DREF_CPU_SOURCE_OUTPUT_DISABLE; +- } else { +- final |= DREF_SSC_SOURCE_DISABLE; +- final |= DREF_CPU_SOURCE_OUTPUT_DISABLE; ++ } else if (using_ssc_source) { ++ final |= DREF_SSC_SOURCE_ENABLE; ++ final |= DREF_SSC1_ENABLE; + } + + if (final == val) +@@ -5708,7 +5724,7 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + POSTING_READ(PCH_DREF_CONTROL); + udelay(200); + } else { +- DRM_DEBUG_KMS("Disabling SSC entirely\n"); ++ DRM_DEBUG_KMS("Disabling CPU source output\n"); + + val &= ~DREF_CPU_SOURCE_OUTPUT_MASK; + +@@ -5719,16 +5735,20 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + POSTING_READ(PCH_DREF_CONTROL); + udelay(200); + +- /* Turn off the SSC source */ +- val &= ~DREF_SSC_SOURCE_MASK; +- val |= DREF_SSC_SOURCE_DISABLE; ++ if (!using_ssc_source) { ++ DRM_DEBUG_KMS("Disabling SSC source\n"); + +- /* Turn off SSC1 */ +- val &= ~DREF_SSC1_ENABLE; ++ /* Turn off the SSC source */ ++ val &= ~DREF_SSC_SOURCE_MASK; ++ val |= DREF_SSC_SOURCE_DISABLE; + +- I915_WRITE(PCH_DREF_CONTROL, val); +- POSTING_READ(PCH_DREF_CONTROL); +- udelay(200); ++ /* Turn off SSC1 */ ++ val &= ~DREF_SSC1_ENABLE; ++ ++ I915_WRITE(PCH_DREF_CONTROL, val); ++ POSTING_READ(PCH_DREF_CONTROL); ++ udelay(200); ++ } + } + + BUG_ON(val != final); +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 129915eca07b..578eb21ca584 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -548,6 +548,23 @@ void radeon_gtt_location(struct radeon_device *rdev, struct radeon_mc *mc) + /* + * GPU helpers function. + */ ++ ++/** ++ * radeon_device_is_virtual - check if we are running is a virtual environment ++ * ++ * Check if the asic has been passed through to a VM (all asics). ++ * Used at driver startup. ++ * Returns true if virtual or false if not. ++ */ ++static bool radeon_device_is_virtual(void) ++{ ++#ifdef CONFIG_X86 ++ return boot_cpu_has(X86_FEATURE_HYPERVISOR); ++#else ++ return false; ++#endif ++} ++ + /** + * radeon_card_posted - check if the hw has already been initialized + * +@@ -561,6 +578,10 @@ bool radeon_card_posted(struct radeon_device *rdev) + { + uint32_t reg; + ++ /* for pass through, always force asic_init */ ++ if (radeon_device_is_virtual()) ++ return false; ++ + /* required for EFI mode on macbook2,1 which uses an r5xx asic */ + if (efi_enabled(EFI_BOOT) && + (rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) && +diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c +index 4e49462870ab..d0c8a1c1e1fe 100644 +--- a/drivers/hid/hid-elo.c ++++ b/drivers/hid/hid-elo.c +@@ -259,7 +259,7 @@ static void elo_remove(struct hid_device *hdev) + struct elo_priv *priv = hid_get_drvdata(hdev); + + hid_hw_stop(hdev); +- flush_workqueue(wq); ++ cancel_delayed_work_sync(&priv->work); + kfree(priv); + } + +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca6f2e0..700145b15088 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; +diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c +index 98ba761cbb9c..d8738d4f8df3 100644 +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -81,7 +81,7 @@ static int kxsd9_write_scale(struct iio_dev *indio_dev, int micro) + + mutex_lock(&st->buf_lock); + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); +- if (ret) ++ if (ret < 0) + goto error_ret; + st->tx[0] = KXSD9_WRITE(KXSD9_REG_CTRL_C); + st->tx[1] = (ret & ~KXSD9_FS_MASK) | i; +@@ -163,7 +163,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev, + break; + case IIO_CHAN_INFO_SCALE: + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); +- if (ret) ++ if (ret < 0) + goto error_ret; + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK]; + ret = IIO_VAL_INT_PLUS_MICRO; +diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c +index 70f78c3062a7..8e2b9e70511d 100644 +--- a/drivers/iio/adc/ad7266.c ++++ b/drivers/iio/adc/ad7266.c +@@ -396,8 +396,8 @@ static int ad7266_probe(struct spi_device *spi) + + st = iio_priv(indio_dev); + +- st->reg = devm_regulator_get(&spi->dev, "vref"); +- if (!IS_ERR_OR_NULL(st->reg)) { ++ st->reg = devm_regulator_get_optional(&spi->dev, "vref"); ++ if (!IS_ERR(st->reg)) { + ret = regulator_enable(st->reg); + if (ret) + return ret; +@@ -408,6 +408,9 @@ static int ad7266_probe(struct spi_device *spi) + + st->vref_mv = ret / 1000; + } else { ++ /* Any other error indicates that the regulator does exist */ ++ if (PTR_ERR(st->reg) != -ENODEV) ++ return PTR_ERR(st->reg); + /* Use internal reference */ + st->vref_mv = 2500; + } +diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c +index 766fab24b720..bc7f51f9a00a 100644 +--- a/drivers/iio/industrialio-trigger.c ++++ b/drivers/iio/industrialio-trigger.c +@@ -205,22 +205,35 @@ static int iio_trigger_attach_poll_func(struct iio_trigger *trig, + + /* Prevent the module from being removed whilst attached to a trigger */ + __module_get(pf->indio_dev->info->driver_module); ++ ++ /* Get irq number */ + pf->irq = iio_trigger_get_irq(trig); ++ if (pf->irq < 0) ++ goto out_put_module; ++ ++ /* Request irq */ + ret = request_threaded_irq(pf->irq, pf->h, pf->thread, + pf->type, pf->name, + pf); +- if (ret < 0) { +- module_put(pf->indio_dev->info->driver_module); +- return ret; +- } ++ if (ret < 0) ++ goto out_put_irq; + ++ /* Enable trigger in driver */ + if (trig->ops && trig->ops->set_trigger_state && notinuse) { + ret = trig->ops->set_trigger_state(trig, true); + if (ret < 0) +- module_put(pf->indio_dev->info->driver_module); ++ goto out_free_irq; + } + + return ret; ++ ++out_free_irq: ++ free_irq(pf->irq, pf); ++out_put_irq: ++ iio_trigger_put_irq(trig, pf->irq); ++out_put_module: ++ module_put(pf->indio_dev->info->driver_module); ++ return ret; + } + + static int iio_trigger_detach_poll_func(struct iio_trigger *trig, +diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c +index 1ddcebd84622..e05c73aeec66 100644 +--- a/drivers/infiniband/hw/mlx4/ah.c ++++ b/drivers/infiniband/hw/mlx4/ah.c +@@ -46,6 +46,7 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr, + + ah->av.ib.port_pd = cpu_to_be32(to_mpd(pd)->pdn | (ah_attr->port_num << 24)); + ah->av.ib.g_slid = ah_attr->src_path_bits; ++ ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28); + if (ah_attr->ah_flags & IB_AH_GRH) { + ah->av.ib.g_slid |= 0x80; + ah->av.ib.gid_index = ah_attr->grh.sgid_index; +@@ -63,7 +64,6 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr, + !(1 << ah->av.ib.stat_rate & dev->caps.stat_rate_support)) + --ah->av.ib.stat_rate; + } +- ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28); + + return &ah->ibah; + } +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 3e1d7d29b4ec..758596021cf0 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -86,9 +86,14 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp) + while (!cur_buf->skb && next != rxq->read_idx) { + struct alx_rfd *rfd = &rxq->rfd[cur]; + +- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp); ++ skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size + 64, gfp); + if (!skb) + break; ++ ++ /* Workround for the HW RX DMA overflow issue */ ++ if (((unsigned long)skb->data & 0xfff) == 0xfc0) ++ skb_reserve(skb, 64); ++ + dma = dma_map_single(&alx->hw.pdev->dev, + skb->data, alx->rxbuf_size, + DMA_FROM_DEVICE); +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index c6637229bdb8..584504e6e95c 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -438,6 +438,13 @@ advance: + if (cdc_ncm_setup(dev)) + goto error2; + ++ /* Some firmwares need a pause here or they will silently fail ++ * to set up the interface properly. This value was decided ++ * empirically on a Sierra Wireless MC7455 running 02.08.02.00 ++ * firmware. ++ */ ++ usleep_range(10000, 20000); ++ + /* configure data interface */ + temp = usb_set_interface(dev->udev, iface_no, data_altsetting); + if (temp) { +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 505ff601d9f4..cb58ad0311da 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2251,6 +2251,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, + if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] || + !info->attrs[HWSIM_ATTR_FLAGS] || + !info->attrs[HWSIM_ATTR_COOKIE] || ++ !info->attrs[HWSIM_ATTR_SIGNAL] || + !info->attrs[HWSIM_ATTR_TX_INFO]) + goto out; + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 787c8a883c3c..e11ca1f7bef6 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1111,7 +1111,6 @@ static int scsi_eh_action(struct scsi_cmnd *scmd, int rtn) + */ + void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q) + { +- scmd->device->host->host_failed--; + scmd->eh_eflags = 0; + list_move_tail(&scmd->eh_entry, done_q); + } +@@ -2193,6 +2192,9 @@ int scsi_error_handler(void *data) + else + scsi_unjam_host(shost); + ++ /* All scmds have been handled */ ++ shost->host_failed = 0; ++ + /* + * Note - if the above fails completely, the action is to take + * individual devices offline and flush the queue of any +diff --git a/drivers/staging/iio/accel/sca3000_core.c b/drivers/staging/iio/accel/sca3000_core.c +index 7f6ccdfaf168..99e148899404 100644 +--- a/drivers/staging/iio/accel/sca3000_core.c ++++ b/drivers/staging/iio/accel/sca3000_core.c +@@ -592,7 +592,7 @@ static ssize_t sca3000_read_frequency(struct device *dev, + goto error_ret_mut; + ret = sca3000_read_ctrl_reg(st, SCA3000_REG_CTRL_SEL_OUT_CTRL); + mutex_unlock(&st->lock); +- if (ret) ++ if (ret < 0) + goto error_ret; + val = ret; + if (base_freq > 0) +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c +index d0e3a4497707..adf4d3124cc6 100644 +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -365,34 +365,22 @@ static void to_utf8(struct vc_data *vc, uint c) + + static void do_compute_shiftstate(void) + { +- unsigned int i, j, k, sym, val; ++ unsigned int k, sym, val; + + shift_state = 0; + memset(shift_down, 0, sizeof(shift_down)); + +- for (i = 0; i < ARRAY_SIZE(key_down); i++) { +- +- if (!key_down[i]) ++ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) { ++ sym = U(key_maps[0][k]); ++ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) + continue; + +- k = i * BITS_PER_LONG; +- +- for (j = 0; j < BITS_PER_LONG; j++, k++) { +- +- if (!test_bit(k, key_down)) +- continue; ++ val = KVAL(sym); ++ if (val == KVAL(K_CAPSSHIFT)) ++ val = KVAL(K_SHIFT); + +- sym = U(key_maps[0][k]); +- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) +- continue; +- +- val = KVAL(sym); +- if (val == KVAL(K_CAPSSHIFT)) +- val = KVAL(K_SHIFT); +- +- shift_down[val]++; +- shift_state |= (1 << val); +- } ++ shift_down[val]++; ++ shift_state |= BIT(val); + } + } + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 00addda9ad53..b6c85fbd0a14 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -205,6 +205,9 @@ static const struct usb_device_id usb_amd_resume_quirk_list[] = { + /* Logitech Optical Mouse M90/M100 */ + { USB_DEVICE(0x046d, 0xc05a), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Acer C120 LED Projector */ ++ { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Blackmagic Design Intensity Shuttle */ + { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM }, + +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index 6b0fb6af6815..a2df3e7e66e2 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -583,14 +583,13 @@ musb_rx_reinit(struct musb *musb, struct musb_qh *qh, struct musb_hw_ep *ep) + musb_writew(ep->regs, MUSB_TXCSR, 0); + + /* scrub all previous state, clearing toggle */ +- } else { +- csr = musb_readw(ep->regs, MUSB_RXCSR); +- if (csr & MUSB_RXCSR_RXPKTRDY) +- WARNING("rx%d, packet/%d ready?\n", ep->epnum, +- musb_readw(ep->regs, MUSB_RXCOUNT)); +- +- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); + } ++ csr = musb_readw(ep->regs, MUSB_RXCSR); ++ if (csr & MUSB_RXCSR_RXPKTRDY) ++ WARNING("rx%d, packet/%d ready?\n", ep->epnum, ++ musb_readw(ep->regs, MUSB_RXCOUNT)); ++ ++ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); + + /* target addr and (for multipoint) hub addr/port */ + if (musb->is_multipoint) { +@@ -950,9 +949,15 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep, + if (is_in) { + dma = is_dma_capable() ? ep->rx_channel : NULL; + +- /* clear nak timeout bit */ ++ /* ++ * Need to stop the transaction by clearing REQPKT first ++ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED ++ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2 ++ */ + rx_csr = musb_readw(epio, MUSB_RXCSR); + rx_csr |= MUSB_RXCSR_H_WZC_BITS; ++ rx_csr &= ~MUSB_RXCSR_H_REQPKT; ++ musb_writew(epio, MUSB_RXCSR, rx_csr); + rx_csr &= ~MUSB_RXCSR_DATAERROR; + musb_writew(epio, MUSB_RXCSR, rx_csr); + +diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c +index 7231859119f1..9deb30b0e077 100644 +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -423,36 +423,7 @@ upload: + + return 0; + } +-static int __init check_prereq(void) +-{ +- struct cpuinfo_x86 *c = &cpu_data(0); +- +- if (!xen_initial_domain()) +- return -ENODEV; +- +- if (!acpi_gbl_FADT.smi_command) +- return -ENODEV; +- +- if (c->x86_vendor == X86_VENDOR_INTEL) { +- if (!cpu_has(c, X86_FEATURE_EST)) +- return -ENODEV; + +- return 0; +- } +- if (c->x86_vendor == X86_VENDOR_AMD) { +- /* Copied from powernow-k8.h, can't include ../cpufreq/powernow +- * as we get compile warnings for the static functions. +- */ +-#define CPUID_FREQ_VOLT_CAPABILITIES 0x80000007 +-#define USE_HW_PSTATE 0x00000080 +- u32 eax, ebx, ecx, edx; +- cpuid(CPUID_FREQ_VOLT_CAPABILITIES, &eax, &ebx, &ecx, &edx); +- if ((edx & USE_HW_PSTATE) != USE_HW_PSTATE) +- return -ENODEV; +- return 0; +- } +- return -ENODEV; +-} + /* acpi_perf_data is a pointer to percpu data. */ + static struct acpi_processor_performance __percpu *acpi_perf_data; + +@@ -508,10 +479,10 @@ static struct syscore_ops xap_syscore_ops = { + static int __init xen_acpi_processor_init(void) + { + unsigned int i; +- int rc = check_prereq(); ++ int rc; + +- if (rc) +- return rc; ++ if (!xen_initial_domain()) ++ return -ENODEV; + + nr_acpi_bits = get_max_acpi_id() + 1; + acpi_ids_done = kcalloc(BITS_TO_LONGS(nr_acpi_bits), sizeof(unsigned long), GFP_KERNEL); +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 8813ff776ba3..7522829b29ef 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -410,7 +410,9 @@ cifs_echo_request(struct work_struct *work) + * server->ops->need_neg() == true. Also, no need to ping if + * we got a response recently. + */ +- if (!server->ops->need_neg || server->ops->need_neg(server) || ++ ++ if (server->tcpStatus == CifsNeedReconnect || ++ server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew || + (server->ops->can_echo && !server->ops->can_echo(server)) || + time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ)) + goto requeue_echo; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index fc656bc5d6cb..e83f7d2b585b 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1590,6 +1590,33 @@ SMB2_echo(struct TCP_Server_Info *server) + + cifs_dbg(FYI, "In echo request\n"); + ++ if (server->tcpStatus == CifsNeedNegotiate) { ++ struct list_head *tmp, *tmp2; ++ struct cifs_ses *ses; ++ struct cifs_tcon *tcon; ++ ++ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n"); ++ spin_lock(&cifs_tcp_ses_lock); ++ list_for_each(tmp, &server->smb_ses_list) { ++ ses = list_entry(tmp, struct cifs_ses, smb_ses_list); ++ list_for_each(tmp2, &ses->tcon_list) { ++ tcon = list_entry(tmp2, struct cifs_tcon, ++ tcon_list); ++ /* add check for persistent handle reconnect */ ++ if (tcon && tcon->need_reconnect) { ++ spin_unlock(&cifs_tcp_ses_lock); ++ rc = smb2_reconnect(SMB2_ECHO, tcon); ++ spin_lock(&cifs_tcp_ses_lock); ++ } ++ } ++ } ++ spin_unlock(&cifs_tcp_ses_lock); ++ } ++ ++ /* if no session, renegotiate failed above */ ++ if (server->tcpStatus == CifsNeedNegotiate) ++ return -EIO; ++ + rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req); + if (rc) + return rc; +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 4a48fe4b84b6..589418d44310 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1459,9 +1459,9 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + err = PTR_ERR(inode); + trace_nfs_atomic_open_exit(dir, ctx, open_flags, err); + put_nfs_open_context(ctx); ++ d_drop(dentry); + switch (err) { + case -ENOENT: +- d_drop(dentry); + d_add(dentry, NULL); + break; + case -EISDIR: +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 3b5e86fd2800..98eae9cc78be 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2583,12 +2583,11 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) + call_close |= is_wronly; + else if (is_wronly) + calldata->arg.fmode |= FMODE_WRITE; ++ if (calldata->arg.fmode != (FMODE_READ|FMODE_WRITE)) ++ call_close |= is_rdwr; + } else if (is_rdwr) + calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; + +- if (calldata->arg.fmode == 0) +- call_close |= is_rdwr; +- + if (!nfs4_valid_open_stateid(state)) + call_close = 0; + spin_unlock(&state->owner->so_lock); +diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c +index 11c1fba29312..f8e5593884a5 100644 +--- a/fs/nfsd/nfs2acl.c ++++ b/fs/nfsd/nfs2acl.c +@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct svc_rqst * rqstp, + goto out; + + inode = fh->fh_dentry->d_inode; +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + if (error) +- goto out_drop_write; ++ goto out_drop_lock; ++ ++ fh_unlock(fh); + + fh_drop_write(fh); + +@@ -131,7 +130,8 @@ out: + posix_acl_release(argp->acl_access); + posix_acl_release(argp->acl_default); + return nfserr; +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c +index adc5f1b1dc26..bcfef1c2b2a5 100644 +--- a/fs/nfsd/nfs3acl.c ++++ b/fs/nfsd/nfs3acl.c +@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct svc_rqst * rqstp, + goto out; + + inode = fh->fh_dentry->d_inode; +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c +index dea8c60954ba..1e8857b6dbba 100644 +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -818,9 +818,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, + dentry = fhp->fh_dentry; + inode = dentry->d_inode; + +- if (!inode->i_op->set_acl || !IS_POSIXACL(inode)) +- return nfserr_attrnotsupp; +- + if (S_ISDIR(inode->i_mode)) + flags = NFS4_ACL_DIR; + +@@ -830,16 +827,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, + if (host_error < 0) + goto out_nfserr; + +- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS); ++ fh_lock(fhp); ++ ++ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl); + if (host_error < 0) +- goto out_release; ++ goto out_drop_lock; + + if (S_ISDIR(inode->i_mode)) { +- host_error = inode->i_op->set_acl(inode, dpacl, +- ACL_TYPE_DEFAULT); ++ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl); + } + +-out_release: ++out_drop_lock: ++ fh_unlock(fhp); ++ + posix_acl_release(pacl); + posix_acl_release(dpacl); + out_nfserr: +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index 0855f772cd41..3de7c223c963 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -787,38 +787,42 @@ posix_acl_xattr_get(struct dentry *dentry, const char *name, + return error; + } + +-static int +-posix_acl_xattr_set(struct dentry *dentry, const char *name, +- const void *value, size_t size, int flags, int type) ++int ++set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) + { +- struct inode *inode = dentry->d_inode; +- struct posix_acl *acl = NULL; +- int ret; +- + if (!IS_POSIXACL(inode)) + return -EOPNOTSUPP; + if (!inode->i_op->set_acl) + return -EOPNOTSUPP; + + if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) +- return value ? -EACCES : 0; ++ return acl ? -EACCES : 0; + if (!inode_owner_or_capable(inode)) + return -EPERM; + ++ if (acl) { ++ int ret = posix_acl_valid(acl); ++ if (ret) ++ return ret; ++ } ++ return inode->i_op->set_acl(inode, acl, type); ++} ++EXPORT_SYMBOL(set_posix_acl); ++ ++static int ++posix_acl_xattr_set(struct dentry *dentry, const char *name, ++ const void *value, size_t size, int flags, int type) ++{ ++ struct inode *inode = dentry->d_inode; ++ struct posix_acl *acl = NULL; ++ int ret; ++ + if (value) { + acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); +- +- if (acl) { +- ret = posix_acl_valid(acl); +- if (ret) +- goto out; +- } + } +- +- ret = inode->i_op->set_acl(inode, acl, type); +-out: ++ ret = set_posix_acl(inode, type, acl); + posix_acl_release(acl); + return ret; + } +diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c +index b56eb6275744..c0d8fde3e6d9 100644 +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + static int read_block(struct inode *inode, void *addr, unsigned int block, + struct ubifs_data_node *dn) +@@ -1423,6 +1424,26 @@ static int ubifs_set_page_dirty(struct page *page) + return ret; + } + ++#ifdef CONFIG_MIGRATION ++static int ubifs_migrate_page(struct address_space *mapping, ++ struct page *newpage, struct page *page, enum migrate_mode mode) ++{ ++ int rc; ++ ++ rc = migrate_page_move_mapping(mapping, newpage, page, NULL, mode, 0); ++ if (rc != MIGRATEPAGE_SUCCESS) ++ return rc; ++ ++ if (PagePrivate(page)) { ++ ClearPagePrivate(page); ++ SetPagePrivate(newpage); ++ } ++ ++ migrate_page_copy(newpage, page); ++ return MIGRATEPAGE_SUCCESS; ++} ++#endif ++ + static int ubifs_releasepage(struct page *page, gfp_t unused_gfp_flags) + { + /* +@@ -1559,6 +1580,9 @@ const struct address_space_operations ubifs_file_address_operations = { + .write_end = ubifs_write_end, + .invalidatepage = ubifs_invalidatepage, + .set_page_dirty = ubifs_set_page_dirty, ++#ifdef CONFIG_MIGRATION ++ .migratepage = ubifs_migrate_page, ++#endif + .releasepage = ubifs_releasepage, + }; + +diff --git a/include/linux/usb/ehci_def.h b/include/linux/usb/ehci_def.h +index daec99af5d54..1c88b177cb9c 100644 +--- a/include/linux/usb/ehci_def.h ++++ b/include/linux/usb/ehci_def.h +@@ -178,11 +178,11 @@ struct ehci_regs { + * PORTSCx + */ + /* HOSTPC: offset 0x84 */ +- u32 hostpc[1]; /* HOSTPC extension */ ++ u32 hostpc[0]; /* HOSTPC extension */ + #define HOSTPC_PHCD (1<<22) /* Phy clock disable */ + #define HOSTPC_PSPD (3<<25) /* Port speed detection */ + +- u32 reserved5[16]; ++ u32 reserved5[17]; + + /* USBMODE_EX: offset 0xc8 */ + u32 usbmode_ex; /* USB Device mode extension */ +diff --git a/kernel/signal.c b/kernel/signal.c +index d8db156e5f5c..78d0e8f3f4ad 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -3004,11 +3004,9 @@ static int do_rt_sigqueueinfo(pid_t pid, int sig, siginfo_t *info) + * Nor can they impersonate a kill()/tgkill(), which adds source info. + */ + if ((info->si_code >= 0 || info->si_code == SI_TKILL) && +- (task_pid_vnr(current) != pid)) { +- /* We used to allow any < 0 si_code */ +- WARN_ON_ONCE(info->si_code < 0); ++ (task_pid_vnr(current) != pid)) + return -EPERM; +- } ++ + info->si_signo = sig; + + /* POSIX.1b doesn't mention process groups. */ +@@ -3053,12 +3051,10 @@ static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info) + /* Not even root can pretend to send signals from the kernel. + * Nor can they impersonate a kill()/tgkill(), which adds source info. + */ +- if (((info->si_code >= 0 || info->si_code == SI_TKILL)) && +- (task_pid_vnr(current) != pid)) { +- /* We used to allow any < 0 si_code */ +- WARN_ON_ONCE(info->si_code < 0); ++ if ((info->si_code >= 0 || info->si_code == SI_TKILL) && ++ (task_pid_vnr(current) != pid)) + return -EPERM; +- } ++ + info->si_signo = sig; + + return do_send_specific(tgid, pid, sig, info); +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index 7b900474209d..6973eeca7d99 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -38,6 +38,10 @@ struct trace_bprintk_fmt { + static inline struct trace_bprintk_fmt *lookup_format(const char *fmt) + { + struct trace_bprintk_fmt *pos; ++ ++ if (!fmt) ++ return ERR_PTR(-EINVAL); ++ + list_for_each_entry(pos, &trace_bprintk_fmt_list, list) { + if (!strcmp(pos->fmt, fmt)) + return pos; +@@ -59,7 +63,8 @@ void hold_module_trace_bprintk_format(const char **start, const char **end) + for (iter = start; iter < end; iter++) { + struct trace_bprintk_fmt *tb_fmt = lookup_format(*iter); + if (tb_fmt) { +- *iter = tb_fmt->fmt; ++ if (!IS_ERR(tb_fmt)) ++ *iter = tb_fmt->fmt; + continue; + } + +diff --git a/mm/migrate.c b/mm/migrate.c +index 3acac4a62c4b..23ca861c93e9 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -423,6 +423,7 @@ int migrate_page_move_mapping(struct address_space *mapping, + + return MIGRATEPAGE_SUCCESS; + } ++EXPORT_SYMBOL(migrate_page_move_mapping); + + /* + * The expected number of remaining references is the same as that +@@ -582,6 +583,7 @@ void migrate_page_copy(struct page *newpage, struct page *page) + if (PageWriteback(newpage)) + end_page_writeback(newpage); + } ++EXPORT_SYMBOL(migrate_page_copy); + + /************************************************************ + * Migration functions +diff --git a/mm/shmem.c b/mm/shmem.c +index 85d8a1a3626c..8791289974c3 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1893,9 +1893,11 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, + NULL); + if (error) { + /* Remove the !PageUptodate pages we added */ +- shmem_undo_range(inode, +- (loff_t)start << PAGE_CACHE_SHIFT, +- (loff_t)index << PAGE_CACHE_SHIFT, true); ++ if (index > start) { ++ shmem_undo_range(inode, ++ (loff_t)start << PAGE_CACHE_SHIFT, ++ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true); ++ } + goto undone; + } + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 42809cf91488..afdbfd65e71f 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -883,8 +883,10 @@ static struct mfc_cache *ipmr_cache_alloc(void) + { + struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); + +- if (c) ++ if (c) { ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; + c->mfc_un.res.minvif = MAXVIFS; ++ } + return c; + } + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 8b61288e5746..86d30e60242a 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1076,6 +1076,7 @@ static struct mfc6_cache *ip6mr_cache_alloc(void) + struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); + if (c == NULL) + return NULL; ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; + c->mfc_un.res.minvif = MAXMIFS; + return c; + } +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 317b6dbf3190..fe2c3320e8fe 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -559,13 +559,13 @@ static int ipip6_err(struct sk_buff *skb, u32 info) + + if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) { + ipv4_update_pmtu(skb, dev_net(skb->dev), info, +- t->parms.link, 0, IPPROTO_IPV6, 0); ++ t->parms.link, 0, iph->protocol, 0); + err = 0; + goto out; + } + if (type == ICMP_REDIRECT) { + ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0, +- IPPROTO_IPV6, 0); ++ iph->protocol, 0); + err = 0; + goto out; + } +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 3d52d1d68431..f3057767b53d 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -161,6 +161,10 @@ void mesh_sta_cleanup(struct sta_info *sta) + del_timer_sync(&sta->plink_timer); + } + ++ /* make sure no readers can access nexthop sta from here on */ ++ mesh_path_flush_by_nexthop(sta); ++ synchronize_net(); ++ + if (changed) + ieee80211_mbss_info_change_notify(sdata, changed); + } +diff --git a/security/keys/key.c b/security/keys/key.c +index 6e21c11e48bc..9478d668f874 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -575,7 +575,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(&key_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, &key->index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ +diff --git a/sound/core/control.c b/sound/core/control.c +index 3fcead61f0ef..251bc575f5c3 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *card, unsigned int mask, + + if (snd_BUG_ON(!card || !id)) + return; ++ if (card->shutdown) ++ return; + read_lock(&card->ctl_files_rwlock); + #if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE) + card->mixer_oss_change_count++; +diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c +index 8946cef245fc..fe5750a05368 100644 +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd_pcm_substream *substream) + + static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) + { ++ hrtimer_cancel(&dpcm->timer); + tasklet_kill(&dpcm->tasklet); + } + +diff --git a/sound/pci/au88x0/au88x0_core.c b/sound/pci/au88x0/au88x0_core.c +index ae59dbaa53d9..42d4b13f1fa7 100644 +--- a/sound/pci/au88x0/au88x0_core.c ++++ b/sound/pci/au88x0/au88x0_core.c +@@ -1442,9 +1442,8 @@ static int vortex_wtdma_bufshift(vortex_t * vortex, int wtdma) + int page, p, pp, delta, i; + + page = +- (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) & +- WT_SUBBUF_MASK) +- >> WT_SUBBUF_SHIFT; ++ (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) ++ >> WT_SUBBUF_SHIFT) & WT_SUBBUF_MASK; + if (dma->nr_periods >= 4) + delta = (page - dma->period_real) & 3; + else { +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 9e5cd217ffaf..2b7ad3a908de 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2455,7 +2455,7 @@ static long kvm_vm_ioctl(struct file *filp, + if (copy_from_user(&routing, argp, sizeof(routing))) + goto out; + r = -EINVAL; +- if (routing.nr >= KVM_MAX_IRQ_ROUTES) ++ if (routing.nr > KVM_MAX_IRQ_ROUTES) + goto out; + if (routing.flags) + goto out; diff --git a/patch/kernel/cubox-dev/patch-3.14.74-75.patch b/patch/kernel/cubox-dev/patch-3.14.74-75.patch new file mode 100644 index 000000000..44250515b --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.74-75.patch @@ -0,0 +1,553 @@ +diff --git a/Makefile b/Makefile +index d2fb4dae6ecb..9e6e6131e986 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 74 ++SUBLEVEL = 75 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c +index fb98769b6a98..3e349aefdb9e 100644 +--- a/arch/arc/kernel/stacktrace.c ++++ b/arch/arc/kernel/stacktrace.c +@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs *regs, + * prelogue is setup (callee regs saved and then fp set and not other + * way around + */ +- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n"); ++ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n"); + return 0; + + #endif +diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S +index 79bfc81358c9..0af8fc213546 100644 +--- a/arch/arc/mm/tlbex.S ++++ b/arch/arc/mm/tlbex.S +@@ -89,7 +89,7 @@ ex_saved_reg1: + #ifdef CONFIG_SMP + sr r0, [ARC_REG_SCRATCH_DATA0] ; freeup r0 to code with + GET_CPU_ID r0 ; get to per cpu scratch mem, +- lsl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu ++ asl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu + add r0, @ex_saved_reg1, r0 + #else + st r0, [@ex_saved_reg1] +@@ -108,7 +108,7 @@ ex_saved_reg1: + .macro TLBMISS_RESTORE_REGS + #ifdef CONFIG_SMP + GET_CPU_ID r0 ; get to per cpu scratch mem +- lsl r0, r0, L1_CACHE_SHIFT ; each is cache line wide ++ asl r0, r0, L1_CACHE_SHIFT ; each is cache line wide + add r0, @ex_saved_reg1, r0 + ld_s r3, [r0,12] + ld_s r2, [r0, 8] +@@ -220,7 +220,7 @@ ex_saved_reg1: + + .macro CONV_PTE_TO_TLB + and r3, r0, PTE_BITS_RWX ; r w x +- lsl r2, r3, 3 ; r w x 0 0 0 ++ asl r2, r3, 3 ; Kr Kw Kx 0 0 0 (GLOBAL, kernel only) + and.f 0, r0, _PAGE_GLOBAL + or.z r2, r2, r3 ; r w x r w x + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 517829f6a58b..4b67f70feab9 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -844,6 +844,9 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id + struct usb_endpoint_descriptor *ep_irq_in; + int i, error; + ++ if (intf->cur_altsetting->desc.bNumEndpoints != 2) ++ return -ENODEV; ++ + for (i = 0; xpad_device[i].idVendor; i++) { + if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) && + (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct)) +diff --git a/drivers/input/touchscreen/wacom_w8001.c b/drivers/input/touchscreen/wacom_w8001.c +index 2792ca397dd0..3ed0ce1e4dcb 100644 +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar "); + MODULE_DESCRIPTION(DRIVER_DESC); + MODULE_LICENSE("GPL"); + +-#define W8001_MAX_LENGTH 11 ++#define W8001_MAX_LENGTH 13 + #define W8001_LEAD_MASK 0x80 + #define W8001_LEAD_BYTE 0x80 + #define W8001_TAB_MASK 0x40 +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index 508380b6a10d..2cc6082d0060 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -1610,8 +1610,8 @@ static void mmc_blk_packed_hdr_wrq_prep(struct mmc_queue_req *mqrq, + + packed_cmd_hdr = packed->cmd_hdr; + memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr)); +- packed_cmd_hdr[0] = (packed->nr_entries << 16) | +- (PACKED_CMD_WR << 8) | PACKED_CMD_VER; ++ packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) | ++ (PACKED_CMD_WR << 8) | PACKED_CMD_VER); + hdr_blocks = mmc_large_sector(card) ? 8 : 1; + + /* +@@ -1625,14 +1625,14 @@ static void mmc_blk_packed_hdr_wrq_prep(struct mmc_queue_req *mqrq, + ((brq->data.blocks * brq->data.blksz) >= + card->ext_csd.data_tag_unit_size); + /* Argument of CMD23 */ +- packed_cmd_hdr[(i * 2)] = ++ packed_cmd_hdr[(i * 2)] = cpu_to_le32( + (do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) | + (do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) | +- blk_rq_sectors(prq); ++ blk_rq_sectors(prq)); + /* Argument of CMD18 or CMD25 */ +- packed_cmd_hdr[((i * 2)) + 1] = ++ packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32( + mmc_card_blockaddr(card) ? +- blk_rq_pos(prq) : blk_rq_pos(prq) << 9; ++ blk_rq_pos(prq) : blk_rq_pos(prq) << 9); + packed->blocks += blk_rq_sectors(prq); + i++; + } +diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c +index 6efe27458116..8e2d394628ed 100644 +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -730,9 +730,10 @@ static int at91_poll_rx(struct net_device *dev, int quota) + + /* upper group completed, look again in lower */ + if (priv->rx_next > get_mb_rx_low_last(priv) && +- quota > 0 && mb > get_mb_rx_last(priv)) { ++ mb > get_mb_rx_last(priv)) { + priv->rx_next = get_mb_rx_first(priv); +- goto again; ++ if (quota > 0) ++ goto again; + } + + return received; +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 84ad2b44377c..fa78e45a2bee 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -665,6 +665,9 @@ static int can_changelink(struct net_device *dev, + } + } + ++ if (!data) ++ return 0; ++ + if (data[IFLA_CAN_CTRLMODE]) { + struct can_ctrlmode *cm; + +@@ -768,6 +771,11 @@ static int can_newlink(struct net *src_net, struct net_device *dev, + return -EOPNOTSUPP; + } + ++static void can_dellink(struct net_device *dev, struct list_head *head) ++{ ++ return; ++} ++ + static struct rtnl_link_ops can_link_ops __read_mostly = { + .kind = "can", + .maxtype = IFLA_CAN_MAX, +@@ -775,6 +783,7 @@ static struct rtnl_link_ops can_link_ops __read_mostly = { + .setup = can_setup, + .newlink = can_newlink, + .changelink = can_changelink, ++ .dellink = can_dellink, + .get_size = can_get_size, + .fill_info = can_fill_info, + .get_xstats_size = can_get_xstats_size, +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index c089fa1ceea9..f4c86225be36 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -213,7 +213,7 @@ + /* Various constants */ + + /* Coalescing */ +-#define MVNETA_TXDONE_COAL_PKTS 1 ++#define MVNETA_TXDONE_COAL_PKTS 0 /* interrupt per packet */ + #define MVNETA_RX_COAL_PKTS 32 + #define MVNETA_RX_COAL_USEC 100 + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index fa2dcbcdb921..c2f616f515c3 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1616,6 +1616,9 @@ static inline void pcs_irq_set(struct pcs_soc_data *pcs_soc, + else + mask &= ~soc_mask; + pcs->write(mask, pcswi->reg); ++ ++ /* flush posted write */ ++ mask = pcs->read(pcswi->reg); + raw_spin_unlock(&pcs->lock); + } + +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 908d82529ee9..668acd6c7bc8 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -906,6 +906,7 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev) + qeth_l2_set_offline(cgdev); + + if (card->dev) { ++ netif_napi_del(&card->napi); + unregister_netdev(card->dev); + card->dev = NULL; + } +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index 3524d34ff694..59759f72c24f 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -3333,6 +3333,7 @@ static void qeth_l3_remove_device(struct ccwgroup_device *cgdev) + qeth_l3_set_offline(cgdev); + + if (card->dev) { ++ netif_napi_del(&card->napi); + unregister_netdev(card->dev); + card->dev = NULL; + } +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 2b7bc7df1edf..9d92f798b8b2 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -9644,6 +9644,7 @@ static int ipr_probe_ioa(struct pci_dev *pdev, + ioa_cfg->intr_flag = IPR_USE_MSI; + else { + ioa_cfg->intr_flag = IPR_USE_LSI; ++ ioa_cfg->clear_isr = 1; + ioa_cfg->nvectors = 1; + dev_info(&pdev->dev, "Cannot enable MSI.\n"); + } +diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c +index 75fe3d466515..ba3fac8318bb 100644 +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev *dev, int offset, int size, + field_start = OFFSET(cfg_entry); + field_end = OFFSET(cfg_entry) + field->size; + +- if ((req_start >= field_start && req_start < field_end) +- || (req_end > field_start && req_end <= field_end)) { ++ if (req_end > field_start && field_end > req_start) { + err = conf_space_read(dev, cfg_entry, field_start, + &tmp_val); + if (err) +@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_dev *dev, int offset, int size, u32 value) + field_start = OFFSET(cfg_entry); + field_end = OFFSET(cfg_entry) + field->size; + +- if ((req_start >= field_start && req_start < field_end) +- || (req_end > field_start && req_end <= field_end)) { ++ if (req_end > field_start && field_end > req_start) { + tmp_val = 0; + + err = xen_pcibk_config_read(dev, field_start, +diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c +index 03df50211c48..eb0c26a36b03 100644 +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -178,6 +178,19 @@ out: + return rc; + } + ++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *lower_file = ecryptfs_file_to_lower(file); ++ /* ++ * Don't allow mmap on top of file systems that don't support it ++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs ++ * allows recursive mounting, this will need to be extended. ++ */ ++ if (!lower_file->f_op->mmap) ++ return -ENODEV; ++ return generic_file_mmap(file, vma); ++} ++ + /** + * ecryptfs_open + * @inode: inode speciying file to open +@@ -349,7 +362,7 @@ const struct file_operations ecryptfs_main_fops = { + #ifdef CONFIG_COMPAT + .compat_ioctl = ecryptfs_compat_ioctl, + #endif +- .mmap = generic_file_mmap, ++ .mmap = ecryptfs_mmap, + .open = ecryptfs_open, + .flush = ecryptfs_flush, + .release = ecryptfs_release, +diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c +index 9b661a4ccee7..f1ea610362c6 100644 +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file **lower_file, + flags |= IS_RDONLY(lower_dentry->d_inode) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto have_file; ++ goto out; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file **lower_file, + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) { ++ if (IS_ERR(*lower_file)) + rc = PTR_ERR(*lower_file); +- goto out; +- } +-have_file: +- if ((*lower_file)->f_op->mmap == NULL) { +- fput(*lower_file); +- *lower_file = NULL; +- rc = -EMEDIUMTYPE; +- } + out: + return rc; + } +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 4e237a6b4b33..a3be02e03021 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -452,6 +452,10 @@ static int __ext4_ext_check(const char *function, unsigned int line, + error_msg = "invalid extent entries"; + goto corrupted; + } ++ if (unlikely(depth > 32)) { ++ error_msg = "too large eh_depth"; ++ goto corrupted; ++ } + /* Verify checksum on non-root extent tree nodes */ + if (ext_depth(inode) != depth && + !ext4_extent_block_csum_verify(inode, eh)) { +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c +index 94c451ce6d24..30c047e0bad2 100644 +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -431,7 +431,7 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp) + if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC) + return 0; + bytes = le16_to_cpu(sbp->s_bytes); +- if (bytes > BLOCK_SIZE) ++ if (bytes < sumoff + 4 || bytes > BLOCK_SIZE) + return 0; + crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp, + sumoff); +diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c +index bde94d853b2b..64bc3d959992 100644 +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -825,6 +825,110 @@ bad: + } + + /* ++ * Encoding order is (new_up_client, new_state, new_weight). Need to ++ * apply in the (new_weight, new_state, new_up_client) order, because ++ * an incremental map may look like e.g. ++ * ++ * new_up_client: { osd=6, addr=... } # set osd_state and addr ++ * new_state: { osd=6, xorstate=EXISTS } # clear osd_state ++ */ ++static int decode_new_up_state_weight(void **p, void *end, ++ struct ceph_osdmap *map) ++{ ++ void *new_up_client; ++ void *new_state; ++ void *new_weight_end; ++ u32 len; ++ ++ new_up_client = *p; ++ ceph_decode_32_safe(p, end, len, e_inval); ++ len *= sizeof(u32) + sizeof(struct ceph_entity_addr); ++ ceph_decode_need(p, end, len, e_inval); ++ *p += len; ++ ++ new_state = *p; ++ ceph_decode_32_safe(p, end, len, e_inval); ++ len *= sizeof(u32) + sizeof(u8); ++ ceph_decode_need(p, end, len, e_inval); ++ *p += len; ++ ++ /* new_weight */ ++ ceph_decode_32_safe(p, end, len, e_inval); ++ while (len--) { ++ s32 osd; ++ u32 w; ++ ++ ceph_decode_need(p, end, 2*sizeof(u32), e_inval); ++ osd = ceph_decode_32(p); ++ w = ceph_decode_32(p); ++ BUG_ON(osd >= map->max_osd); ++ pr_info("osd%d weight 0x%x %s\n", osd, w, ++ w == CEPH_OSD_IN ? "(in)" : ++ (w == CEPH_OSD_OUT ? "(out)" : "")); ++ map->osd_weight[osd] = w; ++ ++ /* ++ * If we are marking in, set the EXISTS, and clear the ++ * AUTOOUT and NEW bits. ++ */ ++ if (w) { ++ map->osd_state[osd] |= CEPH_OSD_EXISTS; ++ map->osd_state[osd] &= ~(CEPH_OSD_AUTOOUT | ++ CEPH_OSD_NEW); ++ } ++ } ++ new_weight_end = *p; ++ ++ /* new_state (up/down) */ ++ *p = new_state; ++ len = ceph_decode_32(p); ++ while (len--) { ++ s32 osd; ++ u8 xorstate; ++ ++ osd = ceph_decode_32(p); ++ xorstate = ceph_decode_8(p); ++ if (xorstate == 0) ++ xorstate = CEPH_OSD_UP; ++ BUG_ON(osd >= map->max_osd); ++ if ((map->osd_state[osd] & CEPH_OSD_UP) && ++ (xorstate & CEPH_OSD_UP)) ++ pr_info("osd%d down\n", osd); ++ if ((map->osd_state[osd] & CEPH_OSD_EXISTS) && ++ (xorstate & CEPH_OSD_EXISTS)) { ++ pr_info("osd%d does not exist\n", osd); ++ map->osd_weight[osd] = CEPH_OSD_IN; ++ memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr)); ++ map->osd_state[osd] = 0; ++ } else { ++ map->osd_state[osd] ^= xorstate; ++ } ++ } ++ ++ /* new_up_client */ ++ *p = new_up_client; ++ len = ceph_decode_32(p); ++ while (len--) { ++ s32 osd; ++ struct ceph_entity_addr addr; ++ ++ osd = ceph_decode_32(p); ++ ceph_decode_copy(p, &addr, sizeof(addr)); ++ ceph_decode_addr(&addr); ++ BUG_ON(osd >= map->max_osd); ++ pr_info("osd%d up\n", osd); ++ map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP; ++ map->osd_addr[osd] = addr; ++ } ++ ++ *p = new_weight_end; ++ return 0; ++ ++e_inval: ++ return -EINVAL; ++} ++ ++/* + * decode and apply an incremental map update. + */ + struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, +@@ -939,50 +1043,10 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, + __remove_pg_pool(&map->pg_pools, pi); + } + +- /* new_up */ +- err = -EINVAL; +- ceph_decode_32_safe(p, end, len, bad); +- while (len--) { +- u32 osd; +- struct ceph_entity_addr addr; +- ceph_decode_32_safe(p, end, osd, bad); +- ceph_decode_copy_safe(p, end, &addr, sizeof(addr), bad); +- ceph_decode_addr(&addr); +- pr_info("osd%d up\n", osd); +- BUG_ON(osd >= map->max_osd); +- map->osd_state[osd] |= CEPH_OSD_UP; +- map->osd_addr[osd] = addr; +- } +- +- /* new_state */ +- ceph_decode_32_safe(p, end, len, bad); +- while (len--) { +- u32 osd; +- u8 xorstate; +- ceph_decode_32_safe(p, end, osd, bad); +- xorstate = **(u8 **)p; +- (*p)++; /* clean flag */ +- if (xorstate == 0) +- xorstate = CEPH_OSD_UP; +- if (xorstate & CEPH_OSD_UP) +- pr_info("osd%d down\n", osd); +- if (osd < map->max_osd) +- map->osd_state[osd] ^= xorstate; +- } +- +- /* new_weight */ +- ceph_decode_32_safe(p, end, len, bad); +- while (len--) { +- u32 osd, off; +- ceph_decode_need(p, end, sizeof(u32)*2, bad); +- osd = ceph_decode_32(p); +- off = ceph_decode_32(p); +- pr_info("osd%d weight 0x%x %s\n", osd, off, +- off == CEPH_OSD_IN ? "(in)" : +- (off == CEPH_OSD_OUT ? "(out)" : "")); +- if (osd < map->max_osd) +- map->osd_weight[osd] = off; +- } ++ /* new_up_client, new_state, new_weight */ ++ err = decode_new_up_state_weight(p, end, map); ++ if (err) ++ goto bad; + + /* new_pg_temp */ + ceph_decode_32_safe(p, end, len, bad); +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 38742e826900..3476895ee1fb 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1208,6 +1208,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; +@@ -1242,6 +1243,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; +@@ -1707,6 +1709,7 @@ static int snd_timer_user_params(struct file *file, + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; diff --git a/patch/kernel/cubox-dev/patch-3.14.75-76.patch b/patch/kernel/cubox-dev/patch-3.14.75-76.patch new file mode 100644 index 000000000..6ff6b53f8 --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.75-76.patch @@ -0,0 +1,1346 @@ +diff --git a/Makefile b/Makefile +index 9e6e6131e986..306fd306906b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 75 ++SUBLEVEL = 76 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c +index 3e94811690ce..a0aee80b608d 100644 +--- a/arch/arm/kernel/sys_oabi-compat.c ++++ b/arch/arm/kernel/sys_oabi-compat.c +@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd, + mm_segment_t fs; + long ret, err, i; + +- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) ++ if (maxevents <= 0 || ++ maxevents > (INT_MAX/sizeof(*kbuf)) || ++ maxevents > (INT_MAX/sizeof(*events))) + return -EINVAL; ++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) ++ return -EFAULT; + kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); + if (!kbuf) + return -ENOMEM; +@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid, + + if (nsops < 1 || nsops > SEMOPM) + return -EINVAL; ++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) ++ return -EFAULT; + sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); + if (!sops) + return -ENOMEM; +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S +index f7e5b72cf481..79747b85777a 100644 +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -350,7 +350,7 @@ EXPORT(sysn32_call_table) + PTR sys_ni_syscall /* available, was setaltroot */ + PTR sys_add_key + PTR sys_request_key +- PTR sys_keyctl /* 6245 */ ++ PTR compat_sys_keyctl /* 6245 */ + PTR sys_set_thread_area + PTR sys_inotify_init + PTR sys_inotify_add_watch +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 6788727d91af..af499022f3fb 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -474,7 +474,7 @@ EXPORT(sys32_call_table) + PTR sys_ni_syscall /* available, was setaltroot */ + PTR sys_add_key /* 4280 */ + PTR sys_request_key +- PTR sys_keyctl ++ PTR compat_sys_keyctl + PTR sys_set_thread_area + PTR sys_inotify_init + PTR sys_inotify_add_watch /* 4285 */ +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index be12c534fd59..29a3d1b00ca9 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -42,7 +42,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + #endif + cpumask_set_cpu(cpu, mm_cpumask(next)); + +- /* Re-load page tables */ ++ /* ++ * Re-load page tables. ++ * ++ * This logic has an ordering constraint: ++ * ++ * CPU 0: Write to a PTE for 'next' ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. ++ * CPU 1: set bit 1 in next's mm_cpumask ++ * CPU 1: load from the PTE that CPU 0 writes (implicit) ++ * ++ * We need to prevent an outcome in which CPU 1 observes ++ * the new PTE value and CPU 0 observes bit 1 clear in ++ * mm_cpumask. (If that occurs, then the IPI will never ++ * be sent, and CPU 0's TLB will contain a stale entry.) ++ * ++ * The bad outcome can occur if either CPU's load is ++ * reordered before that CPU's store, so both CPUs must ++ * execute full barriers to prevent this from happening. ++ * ++ * Thus, switch_mm needs a full barrier between the ++ * store to mm_cpumask and any operation that could load ++ * from next->pgd. TLB fills are special and can happen ++ * due to instruction fetches or for no reason at all, ++ * and neither LOCK nor MFENCE orders them. ++ * Fortunately, load_cr3() is serializing and gives the ++ * ordering guarantee we need. ++ * ++ */ + load_cr3(next->pgd); + + /* Stop flush ipis for the previous mm */ +@@ -65,10 +92,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * schedule, protecting us from simultaneous changes. + */ + cpumask_set_cpu(cpu, mm_cpumask(next)); ++ + /* + * We were in lazy tlb mode and leave_mm disabled + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. ++ * ++ * As above, load_cr3() is serializing and orders TLB ++ * fills with respect to the mm_cpumask write. + */ + load_cr3(next->pgd); + load_LDT_nolock(&next->context); +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index dd8dda167a24..46e82e75192e 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -152,7 +152,10 @@ void flush_tlb_current_task(void) + preempt_disable(); + + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); ++ ++ /* This is an implicit full barrier that synchronizes with switch_mm. */ + local_flush_tlb(); ++ + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); + preempt_enable(); +@@ -166,11 +169,19 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + unsigned long nr_base_pages; + + preempt_disable(); +- if (current->active_mm != mm) ++ if (current->active_mm != mm) { ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto flush_all; ++ } + + if (!current->mm) { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto flush_all; + } + +@@ -222,10 +233,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start) + preempt_disable(); + + if (current->active_mm == mm) { +- if (current->mm) ++ if (current->mm) { ++ /* ++ * Implicit full barrier (INVLPG) that synchronizes ++ * with switch_mm. ++ */ + __flush_tlb_one(start); +- else ++ } else { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ } + } + + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) +diff --git a/block/genhd.c b/block/genhd.c +index 9316f5fd416f..38d4ba122a43 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v) + if (iter) { + class_dev_iter_exit(iter); + kfree(iter); ++ seqf->private = NULL; + } + } + +diff --git a/crypto/gcm.c b/crypto/gcm.c +index f0bd00b15f26..d2a0f7371cf0 100644 +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb, + + ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type, + CRYPTO_ALG_TYPE_HASH, +- CRYPTO_ALG_TYPE_AHASH_MASK); ++ CRYPTO_ALG_TYPE_AHASH_MASK | ++ crypto_requires_sync(algt->type, ++ algt->mask)); + if (IS_ERR(ghash_alg)) + return ERR_CAST(ghash_alg); + +diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c +index 79ca2278c2a3..0ec7a6fa3d4d 100644 +--- a/crypto/scatterwalk.c ++++ b/crypto/scatterwalk.c +@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk, int out, + + void scatterwalk_done(struct scatter_walk *walk, int out, int more) + { +- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more) ++ if (!more || walk->offset >= walk->sg->offset + walk->sg->length || ++ !(walk->offset & (PAGE_SIZE - 1))) + scatterwalk_pagedone(walk, out, more); + } + EXPORT_SYMBOL_GPL(scatterwalk_done); +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 8a64dbeae7b1..d20ac1997886 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -698,15 +698,18 @@ retry: + } + } + +-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits) ++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits) + { + const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); + ++ if (nbits < 0) ++ return -EINVAL; ++ + /* Cap the value to avoid overflows */ + nbits = min(nbits, nbits_max); +- nbits = max(nbits, -nbits_max); + + credit_entropy_bits(r, nbits); ++ return 0; + } + + /********************************************************************* +@@ -1420,8 +1423,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + return -EPERM; + if (get_user(ent_count, p)) + return -EFAULT; +- credit_entropy_bits_safe(&input_pool, ent_count); +- return 0; ++ return credit_entropy_bits_safe(&input_pool, ent_count); + case RNDADDENTROPY: + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -1435,8 +1437,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + size); + if (retval < 0) + return retval; +- credit_entropy_bits_safe(&input_pool, ent_count); +- return 0; ++ return credit_entropy_bits_safe(&input_pool, ent_count); + case RNDZAPENTCNT: + case RNDCLEARPOOL: + /* +diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c +index f2f63933e8a9..5befec118a18 100644 +--- a/drivers/infiniband/core/ucm.c ++++ b/drivers/infiniband/core/ucm.c +@@ -48,6 +48,7 @@ + + #include + ++#include + #include + #include + #include +@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf, + struct ib_ucm_cmd_hdr hdr; + ssize_t result; + ++ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) ++ return -EACCES; ++ + if (len < sizeof(hdr)) + return -EINVAL; + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 45d67e9228d7..81dd84d0b68b 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1487,6 +1487,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf, + struct rdma_ucm_cmd_hdr hdr; + ssize_t ret; + ++ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) ++ return -EACCES; ++ + if (len < sizeof(hdr)) + return -EINVAL; + +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c +index 8802d5ccd93d..f3ecfe4b9571 100644 +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -48,6 +48,8 @@ + + #include + ++#include ++ + #include "uverbs.h" + + MODULE_AUTHOR("Roland Dreier"); +@@ -605,6 +607,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf, + struct ib_uverbs_cmd_hdr hdr; + __u32 flags; + ++ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) ++ return -EACCES; ++ + if (count < sizeof hdr) + return -EINVAL; + +diff --git a/drivers/infiniband/hw/ipath/ipath_file_ops.c b/drivers/infiniband/hw/ipath/ipath_file_ops.c +index 6d7f453b4d05..34aeb14f486a 100644 +--- a/drivers/infiniband/hw/ipath/ipath_file_ops.c ++++ b/drivers/infiniband/hw/ipath/ipath_file_ops.c +@@ -45,6 +45,8 @@ + #include + #include + ++#include "rdma/ib.h" ++ + #include "ipath_kernel.h" + #include "ipath_common.h" + #include "ipath_user_sdma.h" +@@ -2240,6 +2242,9 @@ static ssize_t ipath_write(struct file *fp, const char __user *data, + ssize_t ret = 0; + void *dest; + ++ if (WARN_ON_ONCE(!ib_safe_file_access(fp))) ++ return -EACCES; ++ + if (count < sizeof(cmd.type)) { + ret = -EINVAL; + goto bail; +diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c +index 2023cd61b897..3c089ca85c64 100644 +--- a/drivers/infiniband/hw/qib/qib_file_ops.c ++++ b/drivers/infiniband/hw/qib/qib_file_ops.c +@@ -45,6 +45,8 @@ + #include + #include + ++#include ++ + #include "qib.h" + #include "qib_common.h" + #include "qib_user_sdma.h" +@@ -2058,6 +2060,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data, + ssize_t ret = 0; + void *dest; + ++ if (WARN_ON_ONCE(!ib_safe_file_access(fp))) ++ return -EACCES; ++ + if (count < sizeof(cmd.type)) { + ret = -EINVAL; + goto bail; +diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c +index 70651f8e8e3b..e6fc358add9f 100644 +--- a/drivers/net/bonding/bond_netlink.c ++++ b/drivers/net/bonding/bond_netlink.c +@@ -360,7 +360,11 @@ static int bond_newlink(struct net *src_net, struct net_device *bond_dev, + if (err < 0) + return err; + +- return register_netdevice(bond_dev); ++ err = register_netdevice(bond_dev); ++ ++ netif_carrier_off(bond_dev); ++ ++ return err; + } + + static size_t bond_get_size(const struct net_device *bond_dev) +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 584504e6e95c..df544c93735b 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -571,24 +571,13 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting); + + static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf) + { +- int ret; +- + /* MBIM backwards compatible function? */ + cdc_ncm_select_altsetting(dev, intf); + if (cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) + return -ENODEV; + + /* NCM data altsetting is always 1 */ +- ret = cdc_ncm_bind_common(dev, intf, 1); +- +- /* +- * We should get an event when network connection is "connected" or +- * "disconnected". Set network connection in "disconnected" state +- * (carrier is OFF) during attach, so the IP network stack does not +- * start IPv6 negotiation and more. +- */ +- usbnet_link_change(dev, 0, 0); +- return ret; ++ return cdc_ncm_bind_common(dev, intf, 1); + } + + static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max) +@@ -1117,7 +1106,8 @@ static int cdc_ncm_check_connect(struct usbnet *dev) + + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", +- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET, ++ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET ++ | FLAG_LINK_INTR, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .check_connect = cdc_ncm_check_connect, +@@ -1131,7 +1121,7 @@ static const struct driver_info cdc_ncm_info = { + static const struct driver_info wwan_info = { + .description = "Mobile Broadband Network Device", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_WWAN, ++ | FLAG_LINK_INTR | FLAG_WWAN, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .check_connect = cdc_ncm_check_connect, +@@ -1145,7 +1135,7 @@ static const struct driver_info wwan_info = { + static const struct driver_info wwan_noarp_info = { + .description = "Mobile Broadband Network Device (NO ARP)", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_WWAN | FLAG_NOARP, ++ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .check_connect = cdc_ncm_check_connect, +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 719bd8257520..293155e0571d 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -540,66 +540,6 @@ void scsi_run_host_queues(struct Scsi_Host *shost) + + static void __scsi_release_buffers(struct scsi_cmnd *, int); + +-/* +- * Function: scsi_end_request() +- * +- * Purpose: Post-processing of completed commands (usually invoked at end +- * of upper level post-processing and scsi_io_completion). +- * +- * Arguments: cmd - command that is complete. +- * error - 0 if I/O indicates success, < 0 for I/O error. +- * bytes - number of bytes of completed I/O +- * requeue - indicates whether we should requeue leftovers. +- * +- * Lock status: Assumed that lock is not held upon entry. +- * +- * Returns: cmd if requeue required, NULL otherwise. +- * +- * Notes: This is called for block device requests in order to +- * mark some number of sectors as complete. +- * +- * We are guaranteeing that the request queue will be goosed +- * at some point during this call. +- * Notes: If cmd was requeued, upon return it will be a stale pointer. +- */ +-static struct scsi_cmnd *scsi_end_request(struct scsi_cmnd *cmd, int error, +- int bytes, int requeue) +-{ +- struct request_queue *q = cmd->device->request_queue; +- struct request *req = cmd->request; +- +- /* +- * If there are blocks left over at the end, set up the command +- * to queue the remainder of them. +- */ +- if (blk_end_request(req, error, bytes)) { +- /* kill remainder if no retrys */ +- if (error && scsi_noretry_cmd(cmd)) +- blk_end_request_all(req, error); +- else { +- if (requeue) { +- /* +- * Bleah. Leftovers again. Stick the +- * leftovers in the front of the +- * queue, and goose the queue again. +- */ +- scsi_release_buffers(cmd); +- scsi_requeue_command(q, cmd); +- cmd = NULL; +- } +- return cmd; +- } +- } +- +- /* +- * This will goose the queue request function at the end, so we don't +- * need to worry about launching another command. +- */ +- __scsi_release_buffers(cmd, 0); +- scsi_next_command(cmd); +- return NULL; +-} +- + static inline unsigned int scsi_sgtable_index(unsigned short nents) + { + unsigned int index; +@@ -751,16 +691,9 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result) + * + * Returns: Nothing + * +- * Notes: This function is matched in terms of capabilities to +- * the function that created the scatter-gather list. +- * In other words, if there are no bounce buffers +- * (the normal case for most drivers), we don't need +- * the logic to deal with cleaning up afterwards. +- * +- * We must call scsi_end_request(). This will finish off +- * the specified number of sectors. If we are done, the +- * command block will be released and the queue function +- * will be goosed. If we are not done then we have to ++ * Notes: We will finish off the specified number of sectors. If we ++ * are done, the command block will be released and the queue ++ * function will be goosed. If we are not done then we have to + * figure out what to do next: + * + * a) We can call scsi_requeue_command(). The request +@@ -769,7 +702,7 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result) + * be used if we made forward progress, or if we want + * to switch from READ(10) to READ(6) for example. + * +- * b) We can call scsi_queue_insert(). The request will ++ * b) We can call __scsi_queue_insert(). The request will + * be put back on the queue and retried using the same + * command as before, possibly after a delay. + * +@@ -873,12 +806,28 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + } + + /* +- * A number of bytes were successfully read. If there +- * are leftovers and there is some kind of error +- * (result != 0), retry the rest. ++ * special case: failed zero length commands always need to ++ * drop down into the retry code. Otherwise, if we finished ++ * all bytes in the request we are done now. + */ +- if (scsi_end_request(cmd, error, good_bytes, result == 0) == NULL) +- return; ++ if (!(blk_rq_bytes(req) == 0 && error) && ++ !blk_end_request(req, error, good_bytes)) ++ goto next_command; ++ ++ /* ++ * Kill remainder if no retrys. ++ */ ++ if (error && scsi_noretry_cmd(cmd)) { ++ blk_end_request_all(req, error); ++ goto next_command; ++ } ++ ++ /* ++ * If there had been no error, but we have leftover bytes in the ++ * requeues just queue the command up again. ++ */ ++ if (result == 0) ++ goto requeue; + + error = __scsi_error_from_host_byte(cmd, result); + +@@ -1000,7 +949,6 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + switch (action) { + case ACTION_FAIL: + /* Give up and fail the remainder of the request */ +- scsi_release_buffers(cmd); + if (!(req->cmd_flags & REQ_QUIET)) { + if (description) + scmd_printk(KERN_INFO, cmd, "%s\n", +@@ -1010,12 +958,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + scsi_print_sense("", cmd); + scsi_print_command(cmd); + } +- if (blk_end_request_err(req, error)) +- scsi_requeue_command(q, cmd); +- else +- scsi_next_command(cmd); +- break; ++ if (!blk_end_request_err(req, error)) ++ goto next_command; ++ /*FALLTHRU*/ + case ACTION_REPREP: ++ requeue: + /* Unprep the request and put it back at the head of the queue. + * A new command will be prepared and issued. + */ +@@ -1031,6 +978,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + __scsi_queue_insert(cmd, SCSI_MLQUEUE_DEVICE_BUSY, 0); + break; + } ++ return; ++ ++next_command: ++ __scsi_release_buffers(cmd, 0); ++ scsi_next_command(cmd); + } + + static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb, +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index dcee3f09793d..f46ac929ef8a 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -106,6 +106,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem); + #define HUB_DEBOUNCE_STEP 25 + #define HUB_DEBOUNCE_STABLE 100 + ++static void hub_release(struct kref *kref); + static int usb_reset_and_verify_device(struct usb_device *udev); + + static inline char *portspeed(struct usb_hub *hub, int portstatus) +@@ -1023,10 +1024,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + unsigned delay; + + /* Continue a partial initialization */ +- if (type == HUB_INIT2) +- goto init2; +- if (type == HUB_INIT3) ++ if (type == HUB_INIT2 || type == HUB_INIT3) { ++ device_lock(hub->intfdev); ++ ++ /* Was the hub disconnected while we were waiting? */ ++ if (hub->disconnected) { ++ device_unlock(hub->intfdev); ++ kref_put(&hub->kref, hub_release); ++ return; ++ } ++ if (type == HUB_INIT2) ++ goto init2; + goto init3; ++ } ++ kref_get(&hub->kref); + + /* The superspeed hub except for root hub has to use Hub Depth + * value as an offset into the route string to locate the bits +@@ -1220,6 +1231,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3); + schedule_delayed_work(&hub->init_work, + msecs_to_jiffies(delay)); ++ device_unlock(hub->intfdev); + return; /* Continues at init3: below */ + } else { + msleep(delay); +@@ -1240,6 +1252,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + /* Allow autosuspend if it was suppressed */ + if (type <= HUB_INIT3) + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); ++ ++ if (type == HUB_INIT2 || type == HUB_INIT3) ++ device_unlock(hub->intfdev); ++ ++ kref_put(&hub->kref, hub_release); + } + + /* Implement the continuations for the delays above */ +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index b6c85fbd0a14..24af5b0b8d81 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -164,6 +164,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* MAYA44USB sound device */ + { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* ASUS Base Station(T100) */ ++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info = ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP }, ++ + /* Action Semiconductor flash disk */ + { USB_DEVICE(0x10d6, 0x2200), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, +@@ -186,10 +190,6 @@ static const struct usb_device_id usb_interface_quirk_list[] = { + { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), + .driver_info = USB_QUIRK_RESET_RESUME }, + +- /* ASUS Base Station(T100) */ +- { USB_DEVICE(0x0b05, 0x17e0), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + { } /* terminating entry must be last */ + }; + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index a3be02e03021..0bffd9a0fbf2 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -359,9 +359,13 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext) + ext4_fsblk_t block = ext4_ext_pblock(ext); + int len = ext4_ext_get_actual_len(ext); + ext4_lblk_t lblock = le32_to_cpu(ext->ee_block); +- ext4_lblk_t last = lblock + len - 1; + +- if (len == 0 || lblock > last) ++ /* ++ * We allow neither: ++ * - zero length ++ * - overflow/wrap-around ++ */ ++ if (lblock + len <= lblock) + return 0; + return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len); + } +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 58001fcff037..774cb09519cb 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -204,9 +204,9 @@ void ext4_evict_inode(struct inode *inode) + * Note that directories do not have this problem because they + * don't use page cache. + */ +- if (ext4_should_journal_data(inode) && +- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) && +- inode->i_ino != EXT4_JOURNAL_INO) { ++ if (inode->i_ino != EXT4_JOURNAL_INO && ++ ext4_should_journal_data(inode) && ++ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) { + journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; + tid_t commit_tid = EXT4_I(inode)->i_datasync_tid; + +@@ -2579,13 +2579,36 @@ retry: + done = true; + } + } +- ext4_journal_stop(handle); ++ /* ++ * Caution: If the handle is synchronous, ++ * ext4_journal_stop() can wait for transaction commit ++ * to finish which may depend on writeback of pages to ++ * complete or on page lock to be released. In that ++ * case, we have to wait until after after we have ++ * submitted all the IO, released page locks we hold, ++ * and dropped io_end reference (for extent conversion ++ * to be able to complete) before stopping the handle. ++ */ ++ if (!ext4_handle_valid(handle) || handle->h_sync == 0) { ++ ext4_journal_stop(handle); ++ handle = NULL; ++ } + /* Submit prepared bio */ + ext4_io_submit(&mpd.io_submit); + /* Unlock pages we didn't use */ + mpage_release_unused_pages(&mpd, give_up_on_write); +- /* Drop our io_end reference we got from init */ +- ext4_put_io_end(mpd.io_submit.io_end); ++ /* ++ * Drop our io_end reference we got from init. We have ++ * to be careful and use deferred io_end finishing if ++ * we are still holding the transaction as we can ++ * release the last reference to io_end which may end ++ * up doing unwritten extent conversion. ++ */ ++ if (handle) { ++ ext4_put_io_end_defer(mpd.io_submit.io_end); ++ ext4_journal_stop(handle); ++ } else ++ ext4_put_io_end(mpd.io_submit.io_end); + + if (ret == -ENOSPC && sbi->s_journal) { + /* +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 4a79ce1ecaa1..fcb205f69ed6 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2897,7 +2897,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, + ext4_error(sb, "Allocating blocks %llu-%llu which overlap " + "fs metadata", block, block+len); + /* File system mounted not to panic on error +- * Fix the bitmap and repeat the block allocation ++ * Fix the bitmap and return EUCLEAN + * We leak some of the blocks here. + */ + ext4_lock_group(sb, ac->ac_b_ex.fe_group); +@@ -2906,7 +2906,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, + ext4_unlock_group(sb, ac->ac_b_ex.fe_group); + err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh); + if (!err) +- err = -EAGAIN; ++ err = -EUCLEAN; + goto out_err; + } + +@@ -4476,18 +4476,7 @@ repeat: + } + if (likely(ac->ac_status == AC_STATUS_FOUND)) { + *errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs); +- if (*errp == -EAGAIN) { +- /* +- * drop the reference that we took +- * in ext4_mb_use_best_found +- */ +- ext4_mb_release_context(ac); +- ac->ac_b_ex.fe_group = 0; +- ac->ac_b_ex.fe_start = 0; +- ac->ac_b_ex.fe_len = 0; +- ac->ac_status = AC_STATUS_CONTINUE; +- goto repeat; +- } else if (*errp) { ++ if (*errp) { + ext4_discard_allocated_blocks(ac); + goto errout; + } else { +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 64cd8114f75d..4ce824197b81 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2222,6 +2222,16 @@ static void ext4_orphan_cleanup(struct super_block *sb, + while (es->s_last_orphan) { + struct inode *inode; + ++ /* ++ * We may have encountered an error during cleanup; if ++ * so, skip the rest. ++ */ ++ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) { ++ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n"); ++ es->s_last_orphan = 0; ++ break; ++ } ++ + inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan)); + if (IS_ERR(inode)) { + es->s_last_orphan = 0; +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c +index faf00af7f3d7..58737550a3f4 100644 +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -911,7 +911,7 @@ static void fuse_send_init(struct fuse_conn *fc, struct fuse_req *req) + arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC | + FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK | + FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ | +- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA | ++ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA | + FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO; + req->in.h.opcode = FUSE_INIT; + req->in.numargs = 1; +diff --git a/include/linux/console.h b/include/linux/console.h +index 7571a16bd653..ac1599bda9fc 100644 +--- a/include/linux/console.h ++++ b/include/linux/console.h +@@ -150,6 +150,7 @@ extern int console_trylock(void); + extern void console_unlock(void); + extern void console_conditional_schedule(void); + extern void console_unblank(void); ++extern void console_flush_on_panic(void); + extern struct tty_driver *console_device(int *); + extern void console_stop(struct console *); + extern void console_start(struct console *); +diff --git a/include/rdma/ib.h b/include/rdma/ib.h +index cf8f9e700e48..a6b93706b0fc 100644 +--- a/include/rdma/ib.h ++++ b/include/rdma/ib.h +@@ -34,6 +34,7 @@ + #define _RDMA_IB_H + + #include ++#include + + struct ib_addr { + union { +@@ -86,4 +87,19 @@ struct sockaddr_ib { + __u64 sib_scope_id; + }; + ++/* ++ * The IB interfaces that use write() as bi-directional ioctl() are ++ * fundamentally unsafe, since there are lots of ways to trigger "write()" ++ * calls from various contexts with elevated privileges. That includes the ++ * traditional suid executable error message writes, but also various kernel ++ * interfaces that can write to file descriptors. ++ * ++ * This function provides protection for the legacy API by restricting the ++ * calling context. ++ */ ++static inline bool ib_safe_file_access(struct file *filp) ++{ ++ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS); ++} ++ + #endif /* _RDMA_IB_H */ +diff --git a/ipc/msg.c b/ipc/msg.c +index 4a036c619607..0d1449551e06 100644 +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -745,7 +745,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext, + rcu_read_lock(); + ipc_lock_object(&msq->q_perm); + +- ipc_rcu_putref(msq, ipc_rcu_free); ++ ipc_rcu_putref(msq, msg_rcu_free); + /* raced with RMID? */ + if (!ipc_valid_object(&msq->q_perm)) { + err = -EIDRM; +diff --git a/ipc/sem.c b/ipc/sem.c +index e53c96f7db42..bd8cbb071166 100644 +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -441,7 +441,7 @@ static inline struct sem_array *sem_obtain_object_check(struct ipc_namespace *ns + static inline void sem_lock_and_putref(struct sem_array *sma) + { + sem_lock(sma, NULL, -1); +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + } + + static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) +@@ -1371,7 +1371,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, + rcu_read_unlock(); + sem_io = ipc_alloc(sizeof(ushort)*nsems); + if (sem_io == NULL) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + return -ENOMEM; + } + +@@ -1405,20 +1405,20 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, + if (nsems > SEMMSL_FAST) { + sem_io = ipc_alloc(sizeof(ushort)*nsems); + if (sem_io == NULL) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + return -ENOMEM; + } + } + + if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + err = -EFAULT; + goto out_free; + } + + for (i = 0; i < nsems; i++) { + if (sem_io[i] > SEMVMX) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + err = -ERANGE; + goto out_free; + } +@@ -1708,7 +1708,7 @@ static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid) + /* step 2: allocate new undo structure */ + new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); + if (!new) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + return ERR_PTR(-ENOMEM); + } + +diff --git a/kernel/panic.c b/kernel/panic.c +index 6d6300375090..16458b37fadc 100644 +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #define PANIC_TIMER_STEP 100 + #define PANIC_BLINK_SPD 18 +@@ -133,6 +134,8 @@ void panic(const char *fmt, ...) + + bust_spinlocks(0); + ++ console_flush_on_panic(); ++ + if (!panic_blink) + panic_blink = no_blink; + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 02e7fb4edb93..2e0406fe1105 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2011,13 +2011,24 @@ void console_unlock(void) + static u64 seen_seq; + unsigned long flags; + bool wake_klogd = false; +- bool retry; ++ bool do_cond_resched, retry; + + if (console_suspended) { + up(&console_sem); + return; + } + ++ /* ++ * Console drivers are called under logbuf_lock, so ++ * @console_may_schedule should be cleared before; however, we may ++ * end up dumping a lot of lines, for example, if called from ++ * console registration path, and should invoke cond_resched() ++ * between lines if allowable. Not doing so can cause a very long ++ * scheduling stall on a slow console leading to RCU stall and ++ * softlockup warnings which exacerbate the issue with more ++ * messages practically incapacitating the system. ++ */ ++ do_cond_resched = console_may_schedule; + console_may_schedule = 0; + + /* flush buffered message fragment immediately to console */ +@@ -2074,6 +2085,9 @@ skip: + call_console_drivers(level, text, len); + start_critical_timings(); + local_irq_restore(flags); ++ ++ if (do_cond_resched) ++ cond_resched(); + } + console_locked = 0; + mutex_release(&console_lock_dep_map, 1, _RET_IP_); +@@ -2142,6 +2156,25 @@ void console_unblank(void) + console_unlock(); + } + ++/** ++ * console_flush_on_panic - flush console content on panic ++ * ++ * Immediately output all pending messages no matter what. ++ */ ++void console_flush_on_panic(void) ++{ ++ /* ++ * If someone else is holding the console lock, trylock will fail ++ * and may_schedule may be set. Ignore and proceed to unlock so ++ * that messages are flushed out. As this can be called from any ++ * context and we don't want to get preempted while flushing, ++ * ensure may_schedule is cleared. ++ */ ++ console_trylock(); ++ console_may_schedule = 0; ++ console_unlock(); ++} ++ + /* + * Return the console tty driver structure and its associated index + */ +diff --git a/mm/migrate.c b/mm/migrate.c +index 23ca861c93e9..ae10044bdfa5 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -344,6 +345,8 @@ int migrate_page_move_mapping(struct address_space *mapping, + struct buffer_head *head, enum migrate_mode mode, + int extra_count) + { ++ struct zone *oldzone, *newzone; ++ int dirty; + int expected_count = 1 + extra_count; + void **pslot; + +@@ -354,6 +357,9 @@ int migrate_page_move_mapping(struct address_space *mapping, + return MIGRATEPAGE_SUCCESS; + } + ++ oldzone = page_zone(page); ++ newzone = page_zone(newpage); ++ + spin_lock_irq(&mapping->tree_lock); + + pslot = radix_tree_lookup_slot(&mapping->page_tree, +@@ -394,6 +400,13 @@ int migrate_page_move_mapping(struct address_space *mapping, + set_page_private(newpage, page_private(page)); + } + ++ /* Move dirty while page refs frozen and newpage not yet exposed */ ++ dirty = PageDirty(page); ++ if (dirty) { ++ ClearPageDirty(page); ++ SetPageDirty(newpage); ++ } ++ + radix_tree_replace_slot(pslot, newpage); + + /* +@@ -403,6 +416,9 @@ int migrate_page_move_mapping(struct address_space *mapping, + */ + page_unfreeze_refs(page, expected_count - 1); + ++ spin_unlock(&mapping->tree_lock); ++ /* Leave irq disabled to prevent preemption while updating stats */ ++ + /* + * If moved to a different zone then also account + * the page for that zone. Other VM counters will be +@@ -413,13 +429,19 @@ int migrate_page_move_mapping(struct address_space *mapping, + * via NR_FILE_PAGES and NR_ANON_PAGES if they + * are mapped to swap space. + */ +- __dec_zone_page_state(page, NR_FILE_PAGES); +- __inc_zone_page_state(newpage, NR_FILE_PAGES); +- if (!PageSwapCache(page) && PageSwapBacked(page)) { +- __dec_zone_page_state(page, NR_SHMEM); +- __inc_zone_page_state(newpage, NR_SHMEM); ++ if (newzone != oldzone) { ++ __dec_zone_state(oldzone, NR_FILE_PAGES); ++ __inc_zone_state(newzone, NR_FILE_PAGES); ++ if (PageSwapBacked(page) && !PageSwapCache(page)) { ++ __dec_zone_state(oldzone, NR_SHMEM); ++ __inc_zone_state(newzone, NR_SHMEM); ++ } ++ if (dirty && mapping_cap_account_dirty(mapping)) { ++ __dec_zone_state(oldzone, NR_FILE_DIRTY); ++ __inc_zone_state(newzone, NR_FILE_DIRTY); ++ } + } +- spin_unlock_irq(&mapping->tree_lock); ++ local_irq_enable(); + + return MIGRATEPAGE_SUCCESS; + } +@@ -544,20 +566,9 @@ void migrate_page_copy(struct page *newpage, struct page *page) + if (PageMappedToDisk(page)) + SetPageMappedToDisk(newpage); + +- if (PageDirty(page)) { +- clear_page_dirty_for_io(page); +- /* +- * Want to mark the page and the radix tree as dirty, and +- * redo the accounting that clear_page_dirty_for_io undid, +- * but we can't use set_page_dirty because that function +- * is actually a signal that all of the page has become dirty. +- * Whereas only part of our page may be dirty. +- */ +- if (PageSwapBacked(page)) +- SetPageDirty(newpage); +- else +- __set_page_dirty_nobuffers(newpage); +- } ++ /* Move dirty on pages not done by migrate_page_move_mapping() */ ++ if (PageDirty(page)) ++ SetPageDirty(newpage); + + /* + * Copy NUMA information to the new page, to prevent over-eager +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 5b10c59ba8a9..90f9d00a3fbc 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); + + /* rfc5961 challenge ack rate limiting */ +-int sysctl_tcp_challenge_ack_limit = 100; ++int sysctl_tcp_challenge_ack_limit = 1000; + + int sysctl_tcp_stdurg __read_mostly; + int sysctl_tcp_rfc1337 __read_mostly; +@@ -3293,12 +3293,18 @@ static void tcp_send_challenge_ack(struct sock *sk) + static u32 challenge_timestamp; + static unsigned int challenge_count; + u32 now = jiffies / HZ; ++ u32 count; + + if (now != challenge_timestamp) { ++ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; ++ + challenge_timestamp = now; +- challenge_count = 0; ++ challenge_count = half + ++ prandom_u32_max(sysctl_tcp_challenge_ack_limit); + } +- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { ++ count = challenge_count; ++ if (count > 0) { ++ challenge_count = count - 1; + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); + tcp_send_ack(sk); + } +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index a68cd7100349..99d89783d1e6 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -242,7 +242,8 @@ void tcp_select_initial_window(int __space, __u32 mss, + /* Set window scaling on max possible window + * See RFC1323 for an explanation of the limit to 14 + */ +- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max); ++ space = max_t(u32, space, sysctl_tcp_rmem[2]); ++ space = max_t(u32, space, sysctl_rmem_max); + space = min_t(u32, space, *window_clamp); + while (space > 65535 && (*rcv_wscale) < 14) { + space >>= 1; +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index f945293c17f0..033a7af5914e 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1037,8 +1037,11 @@ static int irda_connect(struct socket *sock, struct sockaddr *uaddr, + } + + /* Check if we have opened a local TSAP */ +- if (!self->tsap) +- irda_open_tsap(self, LSAP_ANY, addr->sir_name); ++ if (!self->tsap) { ++ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name); ++ if (err) ++ goto out; ++ } + + /* Move to connecting socket, start sending Connect Requests */ + sock->state = SS_CONNECTING; +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c +index fef2acdf4a2e..ecae5561b912 100644 +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -244,12 +244,13 @@ void sctp_generate_t3_rtx_event(unsigned long peer) + int error; + struct sctp_transport *transport = (struct sctp_transport *) peer; + struct sctp_association *asoc = transport->asoc; +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + + /* Check whether a task is in the sock. */ + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy\n", __func__); + + /* Try again later. */ +@@ -272,10 +273,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer) + transport, GFP_ATOMIC); + + if (error) +- asoc->base.sk->sk_err = -error; ++ sk->sk_err = -error; + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_transport_put(transport); + } + +@@ -285,11 +286,12 @@ out_unlock: + static void sctp_generate_timeout_event(struct sctp_association *asoc, + sctp_event_timeout_t timeout_type) + { +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + int error = 0; + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy: timer %d\n", __func__, + timeout_type); + +@@ -312,10 +314,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc, + (void *)timeout_type, GFP_ATOMIC); + + if (error) +- asoc->base.sk->sk_err = -error; ++ sk->sk_err = -error; + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_association_put(asoc); + } + +@@ -365,10 +367,11 @@ void sctp_generate_heartbeat_event(unsigned long data) + int error = 0; + struct sctp_transport *transport = (struct sctp_transport *) data; + struct sctp_association *asoc = transport->asoc; +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy\n", __func__); + + /* Try again later. */ +@@ -389,10 +392,10 @@ void sctp_generate_heartbeat_event(unsigned long data) + transport, GFP_ATOMIC); + + if (error) +- asoc->base.sk->sk_err = -error; ++ sk->sk_err = -error; + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_transport_put(transport); + } + +@@ -403,10 +406,11 @@ void sctp_generate_proto_unreach_event(unsigned long data) + { + struct sctp_transport *transport = (struct sctp_transport *) data; + struct sctp_association *asoc = transport->asoc; +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy\n", __func__); + + /* Try again later. */ +@@ -427,7 +431,7 @@ void sctp_generate_proto_unreach_event(unsigned long data) + asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC); + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_association_put(asoc); + } + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 7db9954f1af2..b30489856741 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v) + seq_printf(seq, "%.2x", profile->hash[i]); + seq_puts(seq, "\n"); + } ++ aa_put_profile(profile); + + return 0; + } diff --git a/patch/kernel/cubox-dev/patch-3.14.76-77.patch b/patch/kernel/cubox-dev/patch-3.14.76-77.patch new file mode 100644 index 000000000..dc1dc0fde --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.76-77.patch @@ -0,0 +1,1347 @@ +diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt +index 2b40e04d3c49..f18b6ef7f805 100644 +--- a/Documentation/module-signing.txt ++++ b/Documentation/module-signing.txt +@@ -238,3 +238,9 @@ Since the private key is used to sign modules, viruses and malware could use + the private key to sign modules and compromise the operating system. The + private key must be either destroyed or moved to a secure location and not kept + in the root node of the kernel source tree. ++ ++If you use the same private key to sign modules for multiple kernel ++configurations, you must ensure that the module version information is ++sufficient to prevent loading a module into a different kernel. Either ++set CONFIG_MODVERSIONS=y or ensure that each configuration has a different ++kernel release string by changing EXTRAVERSION or CONFIG_LOCALVERSION. +diff --git a/Makefile b/Makefile +index 306fd306906b..fc4df99727c1 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 76 ++SUBLEVEL = 77 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h +index ab7ee9205ca4..40d60a679fc8 100644 +--- a/arch/arm/include/asm/pgtable-3level.h ++++ b/arch/arm/include/asm/pgtable-3level.h +@@ -243,8 +243,11 @@ PMD_BIT_FUNC(mkyoung, |= PMD_SECT_AF); + #define pfn_pmd(pfn,prot) (__pmd(((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot))) + #define mk_pmd(page,prot) pfn_pmd(page_to_pfn(page),prot) + +-/* represent a notpresent pmd by zero, this is used by pmdp_invalidate */ +-#define pmd_mknotpresent(pmd) (__pmd(0)) ++/* represent a notpresent pmd by faulting entry, this is used by pmdp_invalidate */ ++static inline pmd_t pmd_mknotpresent(pmd_t pmd) ++{ ++ return __pmd(pmd_val(pmd) & ~L_PMD_SECT_VALID); ++} + + static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot) + { +diff --git a/arch/metag/include/asm/cmpxchg_lnkget.h b/arch/metag/include/asm/cmpxchg_lnkget.h +index 0154e2807ebb..2369ad394876 100644 +--- a/arch/metag/include/asm/cmpxchg_lnkget.h ++++ b/arch/metag/include/asm/cmpxchg_lnkget.h +@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u32(volatile int *m, unsigned long old, + " DCACHE [%2], %0\n" + #endif + "2:\n" +- : "=&d" (temp), "=&da" (retval) ++ : "=&d" (temp), "=&d" (retval) + : "da" (m), "bd" (old), "da" (new) + : "cc" + ); +diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c +index 33085819cd89..9f7643874fba 100644 +--- a/arch/mips/kvm/kvm_mips_emul.c ++++ b/arch/mips/kvm/kvm_mips_emul.c +@@ -972,8 +972,13 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, + preempt_disable(); + if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) { + +- if (kvm_mips_host_tlb_lookup(vcpu, va) < 0) { +- kvm_mips_handle_kseg0_tlb_fault(va, vcpu); ++ if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 && ++ kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) { ++ kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n", ++ __func__, va, vcpu, read_c0_entryhi()); ++ er = EMULATE_FAIL; ++ preempt_enable(); ++ goto done; + } + } else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) || + KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) { +@@ -1006,11 +1011,16 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, + run, vcpu); + preempt_enable(); + goto dont_update_pc; +- } else { +- /* We fault an entry from the guest tlb to the shadow host TLB */ +- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, +- NULL, +- NULL); ++ } ++ /* We fault an entry from the guest tlb to the shadow host TLB */ ++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, ++ NULL, NULL)) { ++ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n", ++ __func__, va, index, vcpu, ++ read_c0_entryhi()); ++ er = EMULATE_FAIL; ++ preempt_enable(); ++ goto done; + } + } + } else { +@@ -1821,8 +1831,13 @@ kvm_mips_handle_tlbmiss(unsigned long cause, uint32_t *opc, + tlb->tlb_hi, tlb->tlb_lo0, tlb->tlb_lo1); + #endif + /* OK we have a Guest TLB entry, now inject it into the shadow host TLB */ +- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL, +- NULL); ++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, ++ NULL, NULL)) { ++ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n", ++ __func__, va, index, vcpu, ++ read_c0_entryhi()); ++ er = EMULATE_FAIL; ++ } + } + } + +diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c +index 50ab9c4d4a5d..356b8aa03a70 100644 +--- a/arch/mips/kvm/kvm_tlb.c ++++ b/arch/mips/kvm/kvm_tlb.c +@@ -285,7 +285,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsigned long badvaddr, + } + + gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT); +- if (gfn >= kvm->arch.guest_pmap_npages) { ++ if ((gfn | 1) >= kvm->arch.guest_pmap_npages) { + kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__, + gfn, badvaddr); + kvm_mips_dump_host_tlbs(); +@@ -370,21 +370,38 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu, + unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0; + struct kvm *kvm = vcpu->kvm; + pfn_t pfn0, pfn1; ++ gfn_t gfn0, gfn1; ++ long tlb_lo[2]; ++ ++ tlb_lo[0] = tlb->tlb_lo0; ++ tlb_lo[1] = tlb->tlb_lo1; ++ ++ /* ++ * The commpage address must not be mapped to anything else if the guest ++ * TLB contains entries nearby, or commpage accesses will break. ++ */ ++ if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) & ++ VPN2_MASK & (PAGE_MASK << 1))) ++ tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0; ++ ++ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT; ++ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT; ++ if (gfn0 >= kvm->arch.guest_pmap_npages || ++ gfn1 >= kvm->arch.guest_pmap_npages) { ++ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n", ++ __func__, gfn0, gfn1, tlb->tlb_hi); ++ kvm_mips_dump_guest_tlbs(vcpu); ++ return -1; ++ } + ++ if (kvm_mips_map_page(kvm, gfn0) < 0) ++ return -1; + +- if ((tlb->tlb_hi & VPN2_MASK) == 0) { +- pfn0 = 0; +- pfn1 = 0; +- } else { +- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT) < 0) +- return -1; +- +- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT) < 0) +- return -1; ++ if (kvm_mips_map_page(kvm, gfn1) < 0) ++ return -1; + +- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT]; +- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT]; +- } ++ pfn0 = kvm->arch.guest_pmap[gfn0]; ++ pfn1 = kvm->arch.guest_pmap[gfn1]; + + if (hpa0) + *hpa0 = pfn0 << PAGE_SHIFT; +@@ -396,9 +413,9 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu, + entryhi = (tlb->tlb_hi & VPN2_MASK) | (KVM_GUEST_KERNEL_MODE(vcpu) ? + kvm_mips_get_kernel_asid(vcpu) : kvm_mips_get_user_asid(vcpu)); + entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) | +- (tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 & MIPS3_PG_V); ++ (tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V); + entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) | +- (tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 & MIPS3_PG_V); ++ (tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V); + + #ifdef DEBUG + kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc, +@@ -780,10 +797,16 @@ uint32_t kvm_get_inst(uint32_t *opc, struct kvm_vcpu *vcpu) + local_irq_restore(flags); + return KVM_INVALID_INST; + } +- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, +- &vcpu->arch. +- guest_tlb[index], +- NULL, NULL); ++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, ++ &vcpu->arch.guest_tlb[index], ++ NULL, NULL)) { ++ kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n", ++ __func__, opc, index, vcpu, ++ read_c0_entryhi()); ++ kvm_mips_dump_guest_tlbs(vcpu); ++ local_irq_restore(flags); ++ return KVM_INVALID_INST; ++ } + inst = *(opc); + } + local_irq_restore(flags); +diff --git a/drivers/char/random.c b/drivers/char/random.c +index d20ac1997886..a35a605c418a 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1339,12 +1339,16 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + static ssize_t + urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + { ++ static int maxwarn = 10; + int ret; + +- if (unlikely(nonblocking_pool.initialized == 0)) +- printk_once(KERN_NOTICE "random: %s urandom read " +- "with %d bits of entropy available\n", +- current->comm, nonblocking_pool.entropy_total); ++ if (unlikely(nonblocking_pool.initialized == 0) && ++ maxwarn > 0) { ++ maxwarn--; ++ printk(KERN_NOTICE "random: %s: uninitialized urandom read " ++ "(%zd bytes read, %d bits of entropy available)\n", ++ current->comm, nbytes, nonblocking_pool.entropy_total); ++ } + + ret = extract_entropy_user(&nonblocking_pool, buf, nbytes); + +diff --git a/drivers/gpio/gpio-intel-mid.c b/drivers/gpio/gpio-intel-mid.c +index e585163f1ad5..66b8e7ed1464 100644 +--- a/drivers/gpio/gpio-intel-mid.c ++++ b/drivers/gpio/gpio-intel-mid.c +@@ -21,7 +21,6 @@ + * Moorestown platform Langwell chip. + * Medfield platform Penwell chip. + * Clovertrail platform Cloverview chip. +- * Merrifield platform Tangier chip. + */ + + #include +@@ -70,10 +69,6 @@ enum GPIO_REG { + /* intel_mid gpio driver data */ + struct intel_mid_gpio_ddata { + u16 ngpio; /* number of gpio pins */ +- u32 gplr_offset; /* offset of first GPLR register from base */ +- u32 flis_base; /* base address of FLIS registers */ +- u32 flis_len; /* length of FLIS registers */ +- u32 (*get_flis_offset)(int gpio); + u32 chip_irq_type; /* chip interrupt type */ + }; + +@@ -288,15 +283,6 @@ static const struct intel_mid_gpio_ddata gpio_cloverview_core = { + .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE, + }; + +-static const struct intel_mid_gpio_ddata gpio_tangier = { +- .ngpio = 192, +- .gplr_offset = 4, +- .flis_base = 0xff0c0000, +- .flis_len = 0x8000, +- .get_flis_offset = NULL, +- .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE, +-}; +- + static const struct pci_device_id intel_gpio_ids[] = { + { + /* Lincroft */ +@@ -323,11 +309,6 @@ static const struct pci_device_id intel_gpio_ids[] = { + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x08f7), + .driver_data = (kernel_ulong_t)&gpio_cloverview_core, + }, +- { +- /* Tangier */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1199), +- .driver_data = (kernel_ulong_t)&gpio_tangier, +- }, + { 0 } + }; + MODULE_DEVICE_TABLE(pci, intel_gpio_ids); +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 019b23b955a2..c9cb0fb2302c 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -75,7 +75,7 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id); + #define MAX_BANK 5 + #define BANK_SZ 8 + +-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ) ++#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ) + + struct pca953x_chip { + unsigned gpio_start; +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index d30aba867a3a..ea58b4654868 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -8841,21 +8841,11 @@ connected_sink_compute_bpp(struct intel_connector * connector, + pipe_config->pipe_bpp = connector->base.display_info.bpc*3; + } + +- /* Clamp bpp to default limit on screens without EDID 1.4 */ +- if (connector->base.display_info.bpc == 0) { +- int type = connector->base.connector_type; +- int clamp_bpp = 24; +- +- /* Fall back to 18 bpp when DP sink capability is unknown. */ +- if (type == DRM_MODE_CONNECTOR_DisplayPort || +- type == DRM_MODE_CONNECTOR_eDP) +- clamp_bpp = 18; +- +- if (bpp > clamp_bpp) { +- DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of %d\n", +- bpp, clamp_bpp); +- pipe_config->pipe_bpp = clamp_bpp; +- } ++ /* Clamp bpp to 8 on screens without EDID 1.4 */ ++ if (connector->base.display_info.bpc == 0 && bpp > 24) { ++ DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of 24\n", ++ bpp); ++ pipe_config->pipe_bpp = 24; + } + } + +diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c +index eeb1369110ac..59049c365cb3 100644 +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -119,6 +119,7 @@ atombios_set_backlight_level(struct radeon_encoder *radeon_encoder, u8 level) + case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA: + case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1: + case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2: ++ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY3: + if (dig->backlight_level == 0) + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_LCD_BLOFF, 0, 0); + else { +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 6a3b5f92219f..923982c44bff 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -1128,7 +1128,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev) + le16_to_cpu(firmware_info->info.usReferenceClock); + p1pll->reference_div = 0; + +- if (crev < 2) ++ if ((frev < 2) && (crev < 2)) + p1pll->pll_out_min = + le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output); + else +@@ -1137,7 +1137,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev) + p1pll->pll_out_max = + le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output); + +- if (crev >= 4) { ++ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) { + p1pll->lcd_pll_out_min = + le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100; + if (p1pll->lcd_pll_out_min == 0) +diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c +index a9fb0d016d38..ba95c4934c8d 100644 +--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c ++++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include "radeon_acpi.h" + +@@ -256,6 +257,10 @@ static int radeon_atpx_set_discrete_state(struct radeon_atpx *atpx, u8 state) + if (!info) + return -EIO; + kfree(info); ++ ++ /* 200ms delay is required after off */ ++ if (state == 0) ++ msleep(200); + } + return 0; + } +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index 17ae621dbdab..6ec0273e6191 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -1769,7 +1769,6 @@ radeon_add_atom_connector(struct drm_device *dev, + 1); + /* no HPD on analog connectors */ + radeon_connector->hpd.hpd = RADEON_HPD_NONE; +- connector->polled = DRM_CONNECTOR_POLL_CONNECT; + connector->interlace_allowed = true; + connector->doublescan_allowed = true; + break; +@@ -1998,8 +1997,10 @@ radeon_add_atom_connector(struct drm_device *dev, + } + + if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) { +- if (i2c_bus->valid) +- connector->polled = DRM_CONNECTOR_POLL_CONNECT; ++ if (i2c_bus->valid) { ++ connector->polled = DRM_CONNECTOR_POLL_CONNECT | ++ DRM_CONNECTOR_POLL_DISCONNECT; ++ } + } else + connector->polled = DRM_CONNECTOR_POLL_HPD; + +@@ -2071,7 +2072,6 @@ radeon_add_legacy_connector(struct drm_device *dev, + 1); + /* no HPD on analog connectors */ + radeon_connector->hpd.hpd = RADEON_HPD_NONE; +- connector->polled = DRM_CONNECTOR_POLL_CONNECT; + connector->interlace_allowed = true; + connector->doublescan_allowed = true; + break; +@@ -2156,10 +2156,13 @@ radeon_add_legacy_connector(struct drm_device *dev, + } + + if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) { +- if (i2c_bus->valid) +- connector->polled = DRM_CONNECTOR_POLL_CONNECT; ++ if (i2c_bus->valid) { ++ connector->polled = DRM_CONNECTOR_POLL_CONNECT | ++ DRM_CONNECTOR_POLL_DISCONNECT; ++ } + } else + connector->polled = DRM_CONNECTOR_POLL_HPD; ++ + connector->display_info.subpixel_order = subpixel_order; + drm_sysfs_connector_add(connector); + } +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 8d7cd98c9671..6659796ece16 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -361,7 +361,7 @@ static int send_wqe_overhead(enum mlx4_ib_qp_type type, u32 flags) + sizeof (struct mlx4_wqe_raddr_seg); + case MLX4_IB_QPT_RC: + return sizeof (struct mlx4_wqe_ctrl_seg) + +- sizeof (struct mlx4_wqe_atomic_seg) + ++ sizeof (struct mlx4_wqe_masked_atomic_seg) + + sizeof (struct mlx4_wqe_raddr_seg); + case MLX4_IB_QPT_SMI: + case MLX4_IB_QPT_GSI: +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index 7dfe8a1c84cf..f09678d817d3 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -169,6 +169,8 @@ static int set_rq_size(struct mlx5_ib_dev *dev, struct ib_qp_cap *cap, + qp->rq.max_gs = 0; + qp->rq.wqe_cnt = 0; + qp->rq.wqe_shift = 0; ++ cap->max_recv_wr = 0; ++ cap->max_recv_sge = 0; + } else { + if (ucmd) { + qp->rq.wqe_cnt = ucmd->rq_wqe_count; +@@ -2035,10 +2037,11 @@ static u8 get_fence(u8 fence, struct ib_send_wr *wr) + return MLX5_FENCE_MODE_SMALL_AND_FENCE; + else + return fence; +- +- } else { +- return 0; ++ } else if (unlikely(wr->send_flags & IB_SEND_FENCE)) { ++ return MLX5_FENCE_MODE_FENCE; + } ++ ++ return 0; + } + + int mlx5_ib_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr, +@@ -2503,17 +2506,19 @@ int mlx5_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, int qp_attr + qp_attr->cap.max_recv_sge = qp->rq.max_gs; + + if (!ibqp->uobject) { +- qp_attr->cap.max_send_wr = qp->sq.wqe_cnt; ++ qp_attr->cap.max_send_wr = qp->sq.max_post; + qp_attr->cap.max_send_sge = qp->sq.max_gs; ++ qp_init_attr->qp_context = ibqp->qp_context; + } else { + qp_attr->cap.max_send_wr = 0; + qp_attr->cap.max_send_sge = 0; + } + +- /* We don't support inline sends for kernel QPs (yet), and we +- * don't know what userspace's value should be. +- */ +- qp_attr->cap.max_inline_data = 0; ++ qp_init_attr->qp_type = ibqp->qp_type; ++ qp_init_attr->recv_cq = ibqp->recv_cq; ++ qp_init_attr->send_cq = ibqp->send_cq; ++ qp_init_attr->srq = ibqp->srq; ++ qp_attr->cap.max_inline_data = qp->max_inline_data; + + qp_init_attr->cap = qp_attr->cap; + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 5786a78ff8bc..8b97b77572c6 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -884,7 +884,9 @@ struct ipoib_neigh *ipoib_neigh_get(struct net_device *dev, u8 *daddr) + neigh = NULL; + goto out_unlock; + } +- neigh->alive = jiffies; ++ ++ if (likely(skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE)) ++ neigh->alive = jiffies; + goto out_unlock; + } + } +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c +index b257e46876d3..0f5e1820c92d 100644 +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -287,10 +287,16 @@ static int flakey_map(struct dm_target *ti, struct bio *bio) + pb->bio_submitted = true; + + /* +- * Map reads as normal. ++ * Map reads as normal only if corrupt_bio_byte set. + */ +- if (bio_data_dir(bio) == READ) +- goto map_bio; ++ if (bio_data_dir(bio) == READ) { ++ /* If flags were specified, only corrupt those that match. */ ++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && ++ all_corrupt_bio_flags_match(bio, fc)) ++ goto map_bio; ++ else ++ return -EIO; ++ } + + /* + * Drop writes? +@@ -328,12 +334,13 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error) + + /* + * Corrupt successful READs while in down state. +- * If flags were specified, only corrupt those that match. + */ +- if (fc->corrupt_bio_byte && !error && pb->bio_submitted && +- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) && +- all_corrupt_bio_flags_match(bio, fc)) +- corrupt_bio_data(bio, fc); ++ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { ++ if (fc->corrupt_bio_byte) ++ corrupt_bio_data(bio, fc); ++ else ++ return -EIO; ++ } + + return error; + } +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index e2aac592d29f..983aae1461be 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1004,6 +1004,11 @@ static int match_child(struct device *dev, void *data) + return !strcmp(dev_name(dev), (char *)data); + } + ++static void s5p_mfc_memdev_release(struct device *dev) ++{ ++ dma_release_declared_memory(dev); ++} ++ + static void *mfc_get_drv_data(struct platform_device *pdev); + + static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) +@@ -1016,6 +1021,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) + mfc_err("Not enough memory\n"); + return -ENOMEM; + } ++ ++ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l"); ++ dev->mem_dev_l->release = s5p_mfc_memdev_release; + device_initialize(dev->mem_dev_l); + of_property_read_u32_array(dev->plat_dev->dev.of_node, + "samsung,mfc-l", mem_info, 2); +@@ -1033,6 +1041,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) + mfc_err("Not enough memory\n"); + return -ENOMEM; + } ++ ++ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r"); ++ dev->mem_dev_r->release = s5p_mfc_memdev_release; + device_initialize(dev->mem_dev_r); + of_property_read_u32_array(dev->plat_dev->dev.of_node, + "samsung,mfc-r", mem_info, 2); +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 57deae961429..cfcb54369ce7 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -999,6 +999,9 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, + goto out_detach; + } + ++ /* Make device "available" before it becomes accessible via sysfs */ ++ ubi_devices[ubi_num] = ubi; ++ + err = uif_init(ubi, &ref); + if (err) + goto out_detach; +@@ -1043,7 +1046,6 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, + wake_up_process(ubi->bgt_thread); + spin_unlock(&ubi->wl_lock); + +- ubi_devices[ubi_num] = ubi; + ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL); + return ubi_num; + +@@ -1054,6 +1056,7 @@ out_uif: + ubi_assert(ref); + uif_close(ubi); + out_detach: ++ ubi_devices[ubi_num] = NULL; + ubi_wl_close(ubi); + ubi_free_internal_volumes(ubi); + vfree(ubi->vtbl); +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index 8330703c098f..96131eb34c9f 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -534,13 +534,6 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) + spin_unlock(&ubi->volumes_lock); + } + +- /* Change volume table record */ +- vtbl_rec = ubi->vtbl[vol_id]; +- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs); +- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); +- if (err) +- goto out_acc; +- + if (pebs < 0) { + for (i = 0; i < -pebs; i++) { + err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i); +@@ -558,6 +551,24 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) + spin_unlock(&ubi->volumes_lock); + } + ++ /* ++ * When we shrink a volume we have to flush all pending (erase) work. ++ * Otherwise it can happen that upon next attach UBI finds a LEB with ++ * lnum > highest_lnum and refuses to attach. ++ */ ++ if (pebs < 0) { ++ err = ubi_wl_flush(ubi, vol_id, UBI_ALL); ++ if (err) ++ goto out_acc; ++ } ++ ++ /* Change volume table record */ ++ vtbl_rec = ubi->vtbl[vol_id]; ++ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs); ++ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); ++ if (err) ++ goto out_acc; ++ + vol->reserved_pebs = reserved_pebs; + if (vol->vol_type == UBI_DYNAMIC_VOLUME) { + vol->used_ebs = reserved_pebs; +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 2afa4803280f..09208ac59415 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3017,13 +3017,15 @@ static void quirk_no_bus_reset(struct pci_dev *dev) + } + + /* +- * Atheros AR93xx chips do not behave after a bus reset. The device will +- * throw a Link Down error on AER-capable systems and regardless of AER, +- * config space of the device is never accessible again and typically +- * causes the system to hang or reset when access is attempted. ++ * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset. ++ * The device will throw a Link Down error on AER-capable systems and ++ * regardless of AER, config space of the device is never accessible again ++ * and typically causes the system to hang or reset when access is attempted. + * http://www.spinics.net/lists/linux-pci/msg34797.html + */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + + static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f, + struct pci_fixup *end) +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index 8ba8956b5a48..772209739246 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -696,6 +696,11 @@ static int hp_wmi_rfkill_setup(struct platform_device *device) + if (err) + return err; + ++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless, ++ sizeof(wireless), 0); ++ if (err) ++ return err; ++ + if (wireless & 0x1) { + wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev, + RFKILL_TYPE_WLAN, +@@ -883,7 +888,7 @@ static int __init hp_wmi_bios_setup(struct platform_device *device) + gps_rfkill = NULL; + rfkill2_count = 0; + +- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device)) ++ if (hp_wmi_rfkill_setup(device)) + hp_wmi_rfkill2_setup(device); + + err = device_create_file(&device->dev, &dev_attr_display); +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 5600eab07865..1e032be2b7d7 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -505,7 +505,8 @@ static void iscsit_aborted_task(struct iscsi_conn *conn, struct iscsi_cmd *cmd) + bool scsi_cmd = (cmd->iscsi_opcode == ISCSI_OP_SCSI_CMD); + + spin_lock_bh(&conn->cmd_lock); +- if (!list_empty(&cmd->i_conn_node)) ++ if (!list_empty(&cmd->i_conn_node) && ++ !(cmd->se_cmd.transport_state & CMD_T_FABRIC_STOP)) + list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + +@@ -4160,6 +4161,7 @@ transport_err: + + static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) + { ++ LIST_HEAD(tmp_list); + struct iscsi_cmd *cmd = NULL, *cmd_tmp = NULL; + struct iscsi_session *sess = conn->sess; + /* +@@ -4168,18 +4170,26 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) + * has been reset -> returned sleeping pre-handler state. + */ + spin_lock_bh(&conn->cmd_lock); +- list_for_each_entry_safe(cmd, cmd_tmp, &conn->conn_cmd_list, i_conn_node) { ++ list_splice_init(&conn->conn_cmd_list, &tmp_list); + ++ list_for_each_entry(cmd, &tmp_list, i_conn_node) { ++ struct se_cmd *se_cmd = &cmd->se_cmd; ++ ++ if (se_cmd->se_tfo != NULL) { ++ spin_lock(&se_cmd->t_state_lock); ++ se_cmd->transport_state |= CMD_T_FABRIC_STOP; ++ spin_unlock(&se_cmd->t_state_lock); ++ } ++ } ++ spin_unlock_bh(&conn->cmd_lock); ++ ++ list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) { + list_del_init(&cmd->i_conn_node); +- spin_unlock_bh(&conn->cmd_lock); + + iscsit_increment_maxcmdsn(cmd, sess); +- + iscsit_free_cmd(cmd, true); + +- spin_lock_bh(&conn->cmd_lock); + } +- spin_unlock_bh(&conn->cmd_lock); + } + + static void iscsit_stop_timers_for_cmds( +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index e366b812f0e1..7c3ba7d711f1 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1583,13 +1583,15 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + * in ATA and we need to set TPE=1 + */ + bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib, +- struct request_queue *q, int block_size) ++ struct request_queue *q) + { ++ int block_size = queue_logical_block_size(q); ++ + if (!blk_queue_discard(q)) + return false; + +- attrib->max_unmap_lba_count = (q->limits.max_discard_sectors << 9) / +- block_size; ++ attrib->max_unmap_lba_count = ++ q->limits.max_discard_sectors >> (ilog2(block_size) - 9); + /* + * Currently hardcoded to 1 in Linux/SCSI code.. + */ +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index 6fe5b503f6e1..d8bf1d9c723d 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -165,8 +165,7 @@ static int fd_configure_device(struct se_device *dev) + dev_size, div_u64(dev_size, fd_dev->fd_block_size), + fd_dev->fd_block_size); + +- if (target_configure_unmap_from_queue(&dev->dev_attrib, q, +- fd_dev->fd_block_size)) ++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q)) + pr_debug("IFILE: BLOCK Discard support available," + " disabled by default\n"); + /* +diff --git a/drivers/target/target_core_iblock.c b/drivers/target/target_core_iblock.c +index 357b9fb61499..f66e677ee5e5 100644 +--- a/drivers/target/target_core_iblock.c ++++ b/drivers/target/target_core_iblock.c +@@ -126,8 +126,7 @@ static int iblock_configure_device(struct se_device *dev) + dev->dev_attrib.hw_max_sectors = queue_max_hw_sectors(q); + dev->dev_attrib.hw_queue_depth = q->nr_requests; + +- if (target_configure_unmap_from_queue(&dev->dev_attrib, q, +- dev->dev_attrib.hw_block_size)) ++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q)) + pr_debug("IBLOCK: BLOCK Discard support available," + " disabled by default\n"); + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 9ad3d263d5e1..7ddf11c35eb7 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2407,7 +2407,8 @@ static void target_release_cmd_kref(struct kref *kref) + } + + spin_lock(&se_cmd->t_state_lock); +- fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP); ++ fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP) && ++ (se_cmd->transport_state & CMD_T_ABORTED); + spin_unlock(&se_cmd->t_state_lock); + + if (se_cmd->cmd_wait_set || fabric_stop) { +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 8016aaa158f2..a78766432d69 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1104,10 +1104,11 @@ static int proc_getdriver(struct dev_state *ps, void __user *arg) + + static int proc_connectinfo(struct dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci = { +- .devnum = ps->dev->devnum, +- .slow = ps->dev->speed == USB_SPEED_LOW +- }; ++ struct usbdevfs_connectinfo ci; ++ ++ memset(&ci, 0, sizeof(ci)); ++ ci.devnum = ps->dev->devnum; ++ ci.slow = ps->dev->speed == USB_SPEED_LOW; + + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT; +diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c +index 458f3766bef1..1858df669965 100644 +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -558,6 +558,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep, + struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv); + struct usbhs_pipe *pipe; + int ret = -EIO; ++ unsigned long flags; ++ ++ usbhs_lock(priv, flags); + + /* + * if it already have pipe, +@@ -566,7 +569,8 @@ static int usbhsg_ep_enable(struct usb_ep *ep, + if (uep->pipe) { + usbhs_pipe_clear(uep->pipe); + usbhs_pipe_sequence_data0(uep->pipe); +- return 0; ++ ret = 0; ++ goto usbhsg_ep_enable_end; + } + + pipe = usbhs_pipe_malloc(priv, +@@ -594,6 +598,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep, + ret = 0; + } + ++usbhsg_ep_enable_end: ++ usbhs_unlock(priv, flags); ++ + return ret; + } + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index bcb6f5c2bae4..006a2a721edf 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -274,6 +274,7 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 ++#define TELIT_PRODUCT_LE910_USBCFG4 0x1206 + + /* ZTE PRODUCTS */ + #define ZTE_VENDOR_ID 0x19d2 +@@ -1206,6 +1207,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), + .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c +index 36e7859a31aa..8e7e43bbee1a 100644 +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -178,6 +178,8 @@ static void leak_balloon(struct virtio_balloon *vb, size_t num) + num = min(num, ARRAY_SIZE(vb->pfns)); + + mutex_lock(&vb->balloon_lock); ++ /* We can't release more pages than taken */ ++ num = min(num, (size_t)vb->num_pages); + for (vb->num_pfns = 0; vb->num_pfns < num; + vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) { + page = balloon_page_dequeue(vb_dev_info); +diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c +index 0bd335a393f8..f1aa100758df 100644 +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -727,24 +727,26 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) + + memcpy(ses->auth_key.response + baselen, tiblob, tilen); + ++ mutex_lock(&ses->server->srv_mutex); ++ + rc = crypto_hmacmd5_alloc(ses->server); + if (rc) { + cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc); +- goto setup_ntlmv2_rsp_ret; ++ goto unlock; + } + + /* calculate ntlmv2_hash */ + rc = calc_ntlmv2_hash(ses, ntlmv2_hash, nls_cp); + if (rc) { + cifs_dbg(VFS, "could not get v2 hash rc %d\n", rc); +- goto setup_ntlmv2_rsp_ret; ++ goto unlock; + } + + /* calculate first part of the client response (CR1) */ + rc = CalcNTLMv2_response(ses, ntlmv2_hash); + if (rc) { + cifs_dbg(VFS, "Could not calculate CR1 rc: %d\n", rc); +- goto setup_ntlmv2_rsp_ret; ++ goto unlock; + } + + /* now calculate the session key for NTLMv2 */ +@@ -753,13 +755,13 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) + if (rc) { + cifs_dbg(VFS, "%s: Could not set NTLMV2 Hash as a key\n", + __func__); +- goto setup_ntlmv2_rsp_ret; ++ goto unlock; + } + + rc = crypto_shash_init(&ses->server->secmech.sdeschmacmd5->shash); + if (rc) { + cifs_dbg(VFS, "%s: Could not init hmacmd5\n", __func__); +- goto setup_ntlmv2_rsp_ret; ++ goto unlock; + } + + rc = crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash, +@@ -767,7 +769,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) + CIFS_HMAC_MD5_HASH_SIZE); + if (rc) { + cifs_dbg(VFS, "%s: Could not update with response\n", __func__); +- goto setup_ntlmv2_rsp_ret; ++ goto unlock; + } + + rc = crypto_shash_final(&ses->server->secmech.sdeschmacmd5->shash, +@@ -775,6 +777,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) + if (rc) + cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__); + ++unlock: ++ mutex_unlock(&ses->server->srv_mutex); + setup_ntlmv2_rsp_ret: + kfree(tiblob); + +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c +index 3db0c5fd9a11..3f2dd87b899a 100644 +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -229,6 +229,13 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid, + goto cifs_create_get_file_info; + } + ++ if (S_ISDIR(newinode->i_mode)) { ++ CIFSSMBClose(xid, tcon, fid->netfid); ++ iput(newinode); ++ rc = -EISDIR; ++ goto out; ++ } ++ + if (!S_ISREG(newinode->i_mode)) { + /* + * The server may allow us to open things like +@@ -399,10 +406,14 @@ cifs_create_set_dentry: + if (rc != 0) { + cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n", + rc); +- if (server->ops->close) +- server->ops->close(xid, tcon, fid); +- goto out; ++ goto out_err; + } ++ ++ if (S_ISDIR(newinode->i_mode)) { ++ rc = -EISDIR; ++ goto out_err; ++ } ++ + d_drop(direntry); + d_add(direntry, newinode); + +@@ -410,6 +421,13 @@ out: + kfree(buf); + kfree(full_path); + return rc; ++ ++out_err: ++ if (server->ops->close) ++ server->ops->close(xid, tcon, fid); ++ if (newinode) ++ iput(newinode); ++ goto out; + } + + int +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 6aeb1de0fa23..a2c96326f475 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -858,6 +858,9 @@ smb2_new_lease_key(struct cifs_fid *fid) + get_random_bytes(fid->lease_key, SMB2_LEASE_KEY_SIZE); + } + ++#define SMB2_SYMLINK_STRUCT_SIZE \ ++ (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp)) ++ + static int + smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, + const char *full_path, char **target_path, +@@ -870,7 +873,10 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, + struct cifs_fid fid; + struct smb2_err_rsp *err_buf = NULL; + struct smb2_symlink_err_rsp *symlink; +- unsigned int sub_len, sub_offset; ++ unsigned int sub_len; ++ unsigned int sub_offset; ++ unsigned int print_len; ++ unsigned int print_offset; + + cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path); + +@@ -891,11 +897,33 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, + kfree(utf16_path); + return -ENOENT; + } ++ ++ if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct smb2_symlink_err_rsp) || ++ get_rfc1002_length(err_buf) + 4 < SMB2_SYMLINK_STRUCT_SIZE) { ++ kfree(utf16_path); ++ return -ENOENT; ++ } ++ + /* open must fail on symlink - reset rc */ + rc = 0; + symlink = (struct smb2_symlink_err_rsp *)err_buf->ErrorData; + sub_len = le16_to_cpu(symlink->SubstituteNameLength); + sub_offset = le16_to_cpu(symlink->SubstituteNameOffset); ++ print_len = le16_to_cpu(symlink->PrintNameLength); ++ print_offset = le16_to_cpu(symlink->PrintNameOffset); ++ ++ if (get_rfc1002_length(err_buf) + 4 < ++ SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) { ++ kfree(utf16_path); ++ return -ENOENT; ++ } ++ ++ if (get_rfc1002_length(err_buf) + 4 < ++ SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) { ++ kfree(utf16_path); ++ return -ENOENT; ++ } ++ + *target_path = cifs_strndup_from_utf16( + (char *)symlink->PathBuffer + sub_offset, + sub_len, true, cifs_sb->local_nls); +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index aaa16b31e21e..253ebd390f9b 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -965,6 +965,9 @@ int nfs_updatepage(struct file *file, struct page *page, + dprintk("NFS: nfs_updatepage(%pD2 %d@%lld)\n", + file, count, (long long)(page_file_offset(page) + offset)); + ++ if (!count) ++ goto out; ++ + if (nfs_can_extend_write(file, page, inode)) { + count = max(count + offset, nfs_page_length(page)); + offset = 0; +@@ -975,7 +978,7 @@ int nfs_updatepage(struct file *file, struct page *page, + nfs_set_pageerror(page); + else + __set_page_dirty_nobuffers(page); +- ++out: + dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n", + status, (long long)i_size_read(inode)); + return status; +diff --git a/include/linux/mlx5/qp.h b/include/linux/mlx5/qp.h +index d51eff713549..6dcec3288870 100644 +--- a/include/linux/mlx5/qp.h ++++ b/include/linux/mlx5/qp.h +@@ -137,6 +137,7 @@ enum { + enum { + MLX5_FENCE_MODE_NONE = 0 << 5, + MLX5_FENCE_MODE_INITIATOR_SMALL = 1 << 5, ++ MLX5_FENCE_MODE_FENCE = 2 << 5, + MLX5_FENCE_MODE_STRONG_ORDERING = 3 << 5, + MLX5_FENCE_MODE_SMALL_AND_FENCE = 4 << 5, + }; +@@ -378,9 +379,9 @@ struct mlx5_destroy_qp_mbox_out { + struct mlx5_modify_qp_mbox_in { + struct mlx5_inbox_hdr hdr; + __be32 qpn; +- u8 rsvd1[4]; +- __be32 optparam; + u8 rsvd0[4]; ++ __be32 optparam; ++ u8 rsvd1[4]; + struct mlx5_qp_context ctx; + }; + +diff --git a/include/target/target_core_backend.h b/include/target/target_core_backend.h +index 522ae25a61a7..c519c126ee14 100644 +--- a/include/target/target_core_backend.h ++++ b/include/target/target_core_backend.h +@@ -96,6 +96,6 @@ void array_free(void *array, int n); + + sector_t target_to_linux_sector(struct se_device *dev, sector_t lb); + bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib, +- struct request_queue *q, int block_size); ++ struct request_queue *q); + + #endif /* TARGET_CORE_BACKEND_H */ +diff --git a/kernel/module.c b/kernel/module.c +index 3a311a1d26d7..6113c5a536b8 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2449,13 +2449,18 @@ static inline void kmemleak_load_module(const struct module *mod, + #endif + + #ifdef CONFIG_MODULE_SIG +-static int module_sig_check(struct load_info *info) ++static int module_sig_check(struct load_info *info, int flags) + { + int err = -ENOKEY; + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const void *mod = info->hdr; + +- if (info->len > markerlen && ++ /* ++ * Require flags == 0, as a module with version information ++ * removed is no longer the module that was signed ++ */ ++ if (flags == 0 && ++ info->len > markerlen && + memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { + /* We truncate the module to discard the signature */ + info->len -= markerlen; +@@ -2477,7 +2482,7 @@ static int module_sig_check(struct load_info *info) + return err; + } + #else /* !CONFIG_MODULE_SIG */ +-static int module_sig_check(struct load_info *info) ++static int module_sig_check(struct load_info *info, int flags) + { + return 0; + } +@@ -3210,7 +3215,7 @@ static int load_module(struct load_info *info, const char __user *uargs, + struct module *mod; + long err; + +- err = module_sig_check(info); ++ err = module_sig_check(info, flags); + if (err) + goto free_copy; + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 06a7a769737f..5fb1cc21df55 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -922,7 +922,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (get_user(opt, (u32 __user *) optval)) { ++ if (get_user(opt, (u16 __user *) optval)) { + err = -EFAULT; + break; + } +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 90f9d00a3fbc..963b7f746777 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3299,12 +3299,12 @@ static void tcp_send_challenge_ack(struct sock *sk) + u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; + + challenge_timestamp = now; +- challenge_count = half + ++ ACCESS_ONCE(challenge_count) = half + + prandom_u32_max(sysctl_tcp_challenge_ack_limit); + } +- count = challenge_count; ++ count = ACCESS_ONCE(challenge_count); + if (count > 0) { +- challenge_count = count - 1; ++ ACCESS_ONCE(challenge_count) = count - 1; + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); + tcp_send_ack(sk); + } +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index b0fe13529033..f305c4b49617 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1233,6 +1233,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + int peeked, off = 0; + int err; + int is_udplite = IS_UDPLITE(sk); ++ bool checksum_valid = false; + bool slow; + + if (flags & MSG_ERRQUEUE) +@@ -1258,11 +1259,12 @@ try_again: + */ + + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { +- if (udp_lib_checksum_complete(skb)) ++ checksum_valid = !udp_lib_checksum_complete(skb); ++ if (!checksum_valid) + goto csum_copy_err; + } + +- if (skb_csum_unnecessary(skb)) ++ if (checksum_valid || skb_csum_unnecessary(skb)) + err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), + msg->msg_iov, copied); + else { +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index d2013c718112..639401cac06e 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -389,6 +389,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, + int peeked, off = 0; + int err; + int is_udplite = IS_UDPLITE(sk); ++ bool checksum_valid = false; + int is_udp4; + bool slow; + +@@ -420,11 +421,12 @@ try_again: + */ + + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { +- if (udp_lib_checksum_complete(skb)) ++ checksum_valid = !udp_lib_checksum_complete(skb); ++ if (!checksum_valid) + goto csum_copy_err; + } + +- if (skb_csum_unnecessary(skb)) ++ if (checksum_valid || skb_csum_unnecessary(skb)) + err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), + msg->msg_iov, copied); + else { +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index 3045a964f39c..8473d34f2e3a 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -699,7 +699,11 @@ socket_setattr_return: + */ + void netlbl_sock_delattr(struct sock *sk) + { +- cipso_v4_sock_delattr(sk); ++ switch (sk->sk_family) { ++ case AF_INET: ++ cipso_v4_sock_delattr(sk); ++ break; ++ } + } + + /** +@@ -862,7 +866,11 @@ req_setattr_return: + */ + void netlbl_req_delattr(struct request_sock *req) + { +- cipso_v4_req_delattr(req); ++ switch (req->rsk_ops->family) { ++ case AF_INET: ++ cipso_v4_req_delattr(req); ++ break; ++ } + } + + /** +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index ee625e3a56ba..4f7d13da04a5 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -33,10 +33,17 @@ + #include + #include + ++/* ++ * glibc synced up and added the metag number but didn't add the relocations. ++ * Work around this in a crude manner for now. ++ */ + #ifndef EM_METAG +-/* Remove this when these make it to the standard system elf.h. */ + #define EM_METAG 174 ++#endif ++#ifndef R_METAG_ADDR32 + #define R_METAG_ADDR32 2 ++#endif ++#ifndef R_METAG_NONE + #define R_METAG_NONE 3 + #endif + diff --git a/patch/kernel/cubox-dev/patch-3.14.77-78.patch b/patch/kernel/cubox-dev/patch-3.14.77-78.patch new file mode 100644 index 000000000..d79970a5b --- /dev/null +++ b/patch/kernel/cubox-dev/patch-3.14.77-78.patch @@ -0,0 +1,1315 @@ +diff --git a/Makefile b/Makefile +index fc4df99727c1..74346f0d89c1 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 77 ++SUBLEVEL = 78 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 01d3aab64b79..cc0e347379b7 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -137,6 +137,7 @@ extern unsigned long randomize_et_dyn(unsigned long base); + + #define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT); + ++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */ + #define ARCH_DLINFO \ + do { \ + NEW_AUX_ENT(AT_SYSINFO_EHDR, \ +diff --git a/arch/arm64/include/uapi/asm/auxvec.h b/arch/arm64/include/uapi/asm/auxvec.h +index 22d6d8885854..4cf0c17787a8 100644 +--- a/arch/arm64/include/uapi/asm/auxvec.h ++++ b/arch/arm64/include/uapi/asm/auxvec.h +@@ -19,4 +19,6 @@ + /* vDSO location */ + #define AT_SYSINFO_EHDR 33 + ++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */ ++ + #endif +diff --git a/arch/parisc/include/uapi/asm/errno.h b/arch/parisc/include/uapi/asm/errno.h +index c0ae62520d15..274d5bc6ecce 100644 +--- a/arch/parisc/include/uapi/asm/errno.h ++++ b/arch/parisc/include/uapi/asm/errno.h +@@ -97,10 +97,10 @@ + #define ENOTCONN 235 /* Transport endpoint is not connected */ + #define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */ + #define ETOOMANYREFS 237 /* Too many references: cannot splice */ +-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ + #define ETIMEDOUT 238 /* Connection timed out */ + #define ECONNREFUSED 239 /* Connection refused */ +-#define EREMOTERELEASE 240 /* Remote peer released connection */ ++#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ ++#define EREMOTERELEASE 240 /* Remote peer released connection */ + #define EHOSTDOWN 241 /* Host is down */ + #define EHOSTUNREACH 242 /* No route to host */ + +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index 04905bfc508b..5e4b0cc54e43 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -17,7 +17,14 @@ + + static inline void __native_flush_tlb(void) + { ++ /* ++ * If current->mm == NULL then we borrow a mm which may change during a ++ * task switch and therefore we must not be preempted while we write CR3 ++ * back: ++ */ ++ preempt_disable(); + native_write_cr3(native_read_cr3()); ++ preempt_enable(); + } + + static inline void __native_flush_tlb_global_irq_disabled(void) +diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c +index 91a32cefb11f..684baf937c7c 100644 +--- a/drivers/acpi/sysfs.c ++++ b/drivers/acpi/sysfs.c +@@ -494,23 +494,22 @@ static void acpi_global_event_handler(u32 event_type, acpi_handle device, + static int get_status(u32 index, acpi_event_status *status, + acpi_handle *handle) + { +- int result = 0; ++ int result; + + if (index >= num_gpes + ACPI_NUM_FIXED_EVENTS) +- goto end; ++ return -EINVAL; + + if (index < num_gpes) { + result = acpi_get_gpe_device(index, handle); + if (result) { + ACPI_EXCEPTION((AE_INFO, AE_NOT_FOUND, + "Invalid GPE 0x%x", index)); +- goto end; ++ return result; + } + result = acpi_get_gpe_status(*handle, index, status); + } else if (index < (num_gpes + ACPI_NUM_FIXED_EVENTS)) + result = acpi_get_event_status(index - num_gpes, status); + +-end: + return result; + } + +diff --git a/drivers/crypto/nx/nx.c b/drivers/crypto/nx/nx.c +index 5533fe31c90d..433a7696bf0f 100644 +--- a/drivers/crypto/nx/nx.c ++++ b/drivers/crypto/nx/nx.c +@@ -330,7 +330,7 @@ static void nx_of_update_msc(struct device *dev, + ((bytes_so_far + sizeof(struct msc_triplet)) <= lenp) && + i < msc->triplets; + i++) { +- if (msc->fc > NX_MAX_FC || msc->mode > NX_MAX_MODE) { ++ if (msc->fc >= NX_MAX_FC || msc->mode >= NX_MAX_MODE) { + dev_err(dev, "unknown function code/mode " + "combo: %d/%d (ignored)\n", msc->fc, + msc->mode); +diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c +index 19dc0bc9b136..9530c5703bb7 100644 +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -962,7 +962,7 @@ static void edac_inc_ue_error(struct mem_ctl_info *mci, + mci->ue_mc += count; + + if (!enable_per_layer_report) { +- mci->ce_noinfo_count += count; ++ mci->ue_noinfo_count += count; + return; + } + +diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig +index 903f24d28ba0..7025562ede12 100644 +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -50,6 +50,7 @@ config GPIO_DEVRES + config OF_GPIO + def_bool y + depends on OF ++ depends on HAS_IOMEM + + config GPIO_ACPI + def_bool y +diff --git a/drivers/input/keyboard/tegra-kbc.c b/drivers/input/keyboard/tegra-kbc.c +index 9757a58bc897..5d39b966dd28 100644 +--- a/drivers/input/keyboard/tegra-kbc.c ++++ b/drivers/input/keyboard/tegra-kbc.c +@@ -376,7 +376,7 @@ static int tegra_kbc_start(struct tegra_kbc *kbc) + /* Reset the KBC controller to clear all previous status.*/ + reset_control_assert(kbc->rst); + udelay(100); +- reset_control_assert(kbc->rst); ++ reset_control_deassert(kbc->rst); + udelay(100); + + tegra_kbc_config_pins(kbc); +diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c +index eb796fff9e62..9a0cc5b5561a 100644 +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -1230,6 +1230,7 @@ static int __init i8042_create_kbd_port(void) + serio->start = i8042_start; + serio->stop = i8042_stop; + serio->close = i8042_port_close; ++ serio->ps2_cmd_mutex = &i8042_mutex; + serio->port_data = port; + serio->dev.parent = &i8042_platform_device->dev; + strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name)); +@@ -1257,6 +1258,7 @@ static int __init i8042_create_aux_port(int idx) + serio->write = i8042_aux_write; + serio->start = i8042_start; + serio->stop = i8042_stop; ++ serio->ps2_cmd_mutex = &i8042_mutex; + serio->port_data = port; + serio->dev.parent = &i8042_platform_device->dev; + if (idx < 0) { +@@ -1321,21 +1323,6 @@ static void i8042_unregister_ports(void) + } + } + +-/* +- * Checks whether port belongs to i8042 controller. +- */ +-bool i8042_check_port_owner(const struct serio *port) +-{ +- int i; +- +- for (i = 0; i < I8042_NUM_PORTS; i++) +- if (i8042_ports[i].serio == port) +- return true; +- +- return false; +-} +-EXPORT_SYMBOL(i8042_check_port_owner); +- + static void i8042_free_irqs(void) + { + if (i8042_aux_irq_registered) +diff --git a/drivers/input/serio/libps2.c b/drivers/input/serio/libps2.c +index 75516996db20..ded0c6f65c9f 100644 +--- a/drivers/input/serio/libps2.c ++++ b/drivers/input/serio/libps2.c +@@ -56,19 +56,17 @@ EXPORT_SYMBOL(ps2_sendbyte); + + void ps2_begin_command(struct ps2dev *ps2dev) + { +- mutex_lock(&ps2dev->cmd_mutex); ++ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex; + +- if (i8042_check_port_owner(ps2dev->serio)) +- i8042_lock_chip(); ++ mutex_lock(m); + } + EXPORT_SYMBOL(ps2_begin_command); + + void ps2_end_command(struct ps2dev *ps2dev) + { +- if (i8042_check_port_owner(ps2dev->serio)) +- i8042_unlock_chip(); ++ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex; + +- mutex_unlock(&ps2dev->cmd_mutex); ++ mutex_unlock(m); + } + EXPORT_SYMBOL(ps2_end_command); + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index a943c6c0f206..3f29cf979c09 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1349,10 +1349,10 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev) + if (!sysfs_initialized) + return -EACCES; + +- if (pdev->cfg_size < PCI_CFG_SPACE_EXP_SIZE) +- retval = sysfs_create_bin_file(&pdev->dev.kobj, &pci_config_attr); +- else ++ if (pdev->cfg_size > PCI_CFG_SPACE_SIZE) + retval = sysfs_create_bin_file(&pdev->dev.kobj, &pcie_config_attr); ++ else ++ retval = sysfs_create_bin_file(&pdev->dev.kobj, &pci_config_attr); + if (retval) + goto err; + +@@ -1409,10 +1409,10 @@ err_rom_file: + err_resource_files: + pci_remove_resource_files(pdev); + err_config_file: +- if (pdev->cfg_size < PCI_CFG_SPACE_EXP_SIZE) +- sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr); +- else ++ if (pdev->cfg_size > PCI_CFG_SPACE_SIZE) + sysfs_remove_bin_file(&pdev->dev.kobj, &pcie_config_attr); ++ else ++ sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr); + err: + return retval; + } +@@ -1446,10 +1446,10 @@ void pci_remove_sysfs_dev_files(struct pci_dev *pdev) + + pci_remove_capabilities_sysfs(pdev); + +- if (pdev->cfg_size < PCI_CFG_SPACE_EXP_SIZE) +- sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr); +- else ++ if (pdev->cfg_size > PCI_CFG_SPACE_SIZE) + sysfs_remove_bin_file(&pdev->dev.kobj, &pcie_config_attr); ++ else ++ sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr); + + pci_remove_resource_files(pdev); + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 09208ac59415..ca53d484513c 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -288,6 +288,18 @@ static void quirk_citrine(struct pci_dev *dev) + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, PCI_DEVICE_ID_IBM_CITRINE, quirk_citrine); + ++/* ++ * This chip can cause bus lockups if config addresses above 0x600 ++ * are read or written. ++ */ ++static void quirk_nfp6000(struct pci_dev *dev) ++{ ++ dev->cfg_size = 0x600; ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP4000, quirk_nfp6000); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP6000, quirk_nfp6000); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP6000_VF, quirk_nfp6000); ++ + /* On IBM Crocodile ipr SAS adapters, expand BAR to system page size */ + static void quirk_extend_bar_to_page(struct pci_dev *dev) + { +diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c +index 1eef0f586950..cf0214005fca 100644 +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -1613,9 +1613,18 @@ void dasd_int_handler(struct ccw_device *cdev, unsigned long intparm, + unsigned long long now; + int expires; + ++ cqr = (struct dasd_ccw_req *) intparm; + if (IS_ERR(irb)) { + switch (PTR_ERR(irb)) { + case -EIO: ++ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) { ++ device = (struct dasd_device *) cqr->startdev; ++ cqr->status = DASD_CQR_CLEARED; ++ dasd_device_clear_timer(device); ++ wake_up(&dasd_flush_wq); ++ dasd_schedule_device_bh(device); ++ return; ++ } + break; + case -ETIMEDOUT: + DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: " +@@ -1631,7 +1640,6 @@ void dasd_int_handler(struct ccw_device *cdev, unsigned long intparm, + } + + now = get_tod_clock(); +- cqr = (struct dasd_ccw_req *) intparm; + /* check for conditions that should be handled immediately */ + if (!cqr || + !(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) && +diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c +index fbcd48d0bfc3..16b2db3cd9f1 100644 +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) + struct fib *fibptr; + struct hw_fib * hw_fib = (struct hw_fib *)0; + dma_addr_t hw_fib_pa = (dma_addr_t)0LL; +- unsigned size; ++ unsigned int size, osize; + int retval; + + if (dev->in_reset) { +@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) + * will not overrun the buffer when we copy the memory. Return + * an error if we would. + */ +- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); ++ osize = size = le16_to_cpu(kfib->header.Size) + ++ sizeof(struct aac_fibhdr); + if (size < le16_to_cpu(kfib->header.SenderSize)) + size = le16_to_cpu(kfib->header.SenderSize); + if (size > dev->max_fib_size) { +@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) + goto cleanup; + } + ++ /* Sanity check the second copy */ ++ if ((osize != le16_to_cpu(kfib->header.Size) + ++ sizeof(struct aac_fibhdr)) ++ || (size < le16_to_cpu(kfib->header.SenderSize))) { ++ retval = -EINVAL; ++ goto cleanup; ++ } ++ + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { + aac_adapter_interrupt(dev); + /* +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 9f833f1504cc..5ff955524aaf 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3624,7 +3624,7 @@ static int megasas_init_fw(struct megasas_instance *instance) + /* Find first memory bar */ + bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM); + instance->bar = find_first_bit(&bar_list, sizeof(unsigned long)); +- if (pci_request_selected_regions(instance->pdev, instance->bar, ++ if (pci_request_selected_regions(instance->pdev, 1<bar, + "megasas: LSI")) { + printk(KERN_DEBUG "megasas: IO memory region busy!\n"); + return -EBUSY; +@@ -3858,7 +3858,7 @@ fail_ready_state: + iounmap(instance->reg_set); + + fail_ioremap: +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + + return -EINVAL; + } +@@ -3879,7 +3879,7 @@ static void megasas_release_mfi(struct megasas_instance *instance) + + iounmap(instance->reg_set); + +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + } + + /** +diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c +index a1f04e3b2a8f..665131a0b616 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -2175,7 +2175,7 @@ megasas_release_fusion(struct megasas_instance *instance) + + iounmap(instance->reg_set); + +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + } + + /** +diff --git a/drivers/staging/comedi/drivers/daqboard2000.c b/drivers/staging/comedi/drivers/daqboard2000.c +index ce153fcb8b2a..3c585b9de1b6 100644 +--- a/drivers/staging/comedi/drivers/daqboard2000.c ++++ b/drivers/staging/comedi/drivers/daqboard2000.c +@@ -658,7 +658,7 @@ static const void *daqboard2000_find_boardinfo(struct comedi_device *dev, + const struct daq200_boardtype *board; + int i; + +- if (pcidev->subsystem_device != PCI_VENDOR_ID_IOTECH) ++ if (pcidev->subsystem_vendor != PCI_VENDOR_ID_IOTECH) + return NULL; + + for (i = 0; i < ARRAY_SIZE(boardtypes); i++) { +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index b6f5c7d3737b..18cb44d9cbd8 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1296,7 +1296,6 @@ made_compressed_probe: + spin_lock_init(&acm->write_lock); + spin_lock_init(&acm->read_lock); + mutex_init(&acm->mutex); +- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress); + acm->is_int_ep = usb_endpoint_xfer_int(epread); + if (acm->is_int_ep) + acm->bInterval = epread->bInterval; +@@ -1345,14 +1344,14 @@ made_compressed_probe: + urb->transfer_dma = rb->dma; + if (acm->is_int_ep) { + usb_fill_int_urb(urb, acm->dev, +- acm->rx_endpoint, ++ usb_rcvintpipe(usb_dev, epread->bEndpointAddress), + rb->base, + acm->readsize, + acm_read_bulk_callback, rb, + acm->bInterval); + } else { + usb_fill_bulk_urb(urb, acm->dev, +- acm->rx_endpoint, ++ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress), + rb->base, + acm->readsize, + acm_read_bulk_callback, rb); +diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h +index 80826f843e04..82db3387ac6e 100644 +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -95,7 +95,6 @@ struct acm { + struct urb *read_urbs[ACM_NR]; + struct acm_rb read_buffers[ACM_NR]; + int rx_buflimit; +- int rx_endpoint; + spinlock_t read_lock; + int write_used; /* number of non-empty write buffers */ + int transmitting; +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 12d14f91c4d3..0e9530997119 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -143,6 +143,31 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno, + } + } + ++static const unsigned short low_speed_maxpacket_maxes[4] = { ++ [USB_ENDPOINT_XFER_CONTROL] = 8, ++ [USB_ENDPOINT_XFER_ISOC] = 0, ++ [USB_ENDPOINT_XFER_BULK] = 0, ++ [USB_ENDPOINT_XFER_INT] = 8, ++}; ++static const unsigned short full_speed_maxpacket_maxes[4] = { ++ [USB_ENDPOINT_XFER_CONTROL] = 64, ++ [USB_ENDPOINT_XFER_ISOC] = 1023, ++ [USB_ENDPOINT_XFER_BULK] = 64, ++ [USB_ENDPOINT_XFER_INT] = 64, ++}; ++static const unsigned short high_speed_maxpacket_maxes[4] = { ++ [USB_ENDPOINT_XFER_CONTROL] = 64, ++ [USB_ENDPOINT_XFER_ISOC] = 1024, ++ [USB_ENDPOINT_XFER_BULK] = 512, ++ [USB_ENDPOINT_XFER_INT] = 1024, ++}; ++static const unsigned short super_speed_maxpacket_maxes[4] = { ++ [USB_ENDPOINT_XFER_CONTROL] = 512, ++ [USB_ENDPOINT_XFER_ISOC] = 1024, ++ [USB_ENDPOINT_XFER_BULK] = 1024, ++ [USB_ENDPOINT_XFER_INT] = 1024, ++}; ++ + static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + int asnum, struct usb_host_interface *ifp, int num_ep, + unsigned char *buffer, int size) +@@ -151,6 +176,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + struct usb_endpoint_descriptor *d; + struct usb_host_endpoint *endpoint; + int n, i, j, retval; ++ unsigned int maxp; ++ const unsigned short *maxpacket_maxes; + + d = (struct usb_endpoint_descriptor *) buffer; + buffer += d->bLength; +@@ -192,6 +219,7 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + if (usb_endpoint_xfer_int(d)) { + i = 1; + switch (to_usb_device(ddev)->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + case USB_SPEED_HIGH: + /* Many device manufacturers are using full-speed +@@ -246,6 +274,42 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + endpoint->desc.wMaxPacketSize = cpu_to_le16(8); + } + ++ /* Validate the wMaxPacketSize field */ ++ maxp = usb_endpoint_maxp(&endpoint->desc); ++ ++ /* Find the highest legal maxpacket size for this endpoint */ ++ i = 0; /* additional transactions per microframe */ ++ switch (to_usb_device(ddev)->speed) { ++ case USB_SPEED_LOW: ++ maxpacket_maxes = low_speed_maxpacket_maxes; ++ break; ++ case USB_SPEED_FULL: ++ maxpacket_maxes = full_speed_maxpacket_maxes; ++ break; ++ case USB_SPEED_HIGH: ++ /* Bits 12..11 are allowed only for HS periodic endpoints */ ++ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) { ++ i = maxp & (BIT(12) | BIT(11)); ++ maxp &= ~i; ++ } ++ /* fallthrough */ ++ default: ++ maxpacket_maxes = high_speed_maxpacket_maxes; ++ break; ++ case USB_SPEED_SUPER: ++ case USB_SPEED_SUPER_PLUS: ++ maxpacket_maxes = super_speed_maxpacket_maxes; ++ break; ++ } ++ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)]; ++ ++ if (maxp > j) { ++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n", ++ cfgno, inum, asnum, d->bEndpointAddress, maxp, j); ++ maxp = j; ++ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp); ++ } ++ + /* + * Some buggy high speed devices have bulk endpoints using + * maxpacket sizes other than 512. High speed HCDs may not +@@ -253,9 +317,6 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + */ + if (to_usb_device(ddev)->speed == USB_SPEED_HIGH + && usb_endpoint_xfer_bulk(d)) { +- unsigned maxp; +- +- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff; + if (maxp != 512) + dev_warn(ddev, "config %d interface %d altsetting %d " + "bulk endpoint 0x%X has invalid maxpacket %d\n", +@@ -264,7 +325,7 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + } + + /* Parse a possible SuperSpeed endpoint companion descriptor */ +- if (to_usb_device(ddev)->speed == USB_SPEED_SUPER) ++ if (to_usb_device(ddev)->speed >= USB_SPEED_SUPER) + usb_parse_ss_endpoint_companion(ddev, cfgno, + inum, asnum, endpoint, buffer, size); + +diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c +index 2a3bbdf7eb94..332ed277a06c 100644 +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -221,7 +221,7 @@ static char *usb_dump_endpoint_descriptor(int speed, char *start, char *end, + break; + case USB_ENDPOINT_XFER_INT: + type = "Int."; +- if (speed == USB_SPEED_HIGH || speed == USB_SPEED_SUPER) ++ if (speed == USB_SPEED_HIGH || speed >= USB_SPEED_SUPER) + interval = 1 << (desc->bInterval - 1); + else + interval = desc->bInterval; +@@ -230,7 +230,7 @@ static char *usb_dump_endpoint_descriptor(int speed, char *start, char *end, + return start; + } + interval *= (speed == USB_SPEED_HIGH || +- speed == USB_SPEED_SUPER) ? 125 : 1000; ++ speed >= USB_SPEED_SUPER) ? 125 : 1000; + if (interval % 1000) + unit = 'u'; + else { +@@ -322,7 +322,7 @@ static char *usb_dump_config_descriptor(char *start, char *end, + + if (start > end) + return start; +- if (speed == USB_SPEED_SUPER) ++ if (speed >= USB_SPEED_SUPER) + mul = 8; + else + mul = 2; +@@ -534,6 +534,8 @@ static ssize_t usb_device_dump(char __user **buffer, size_t *nbytes, + speed = "480"; break; + case USB_SPEED_SUPER: + speed = "5000"; break; ++ case USB_SPEED_SUPER_PLUS: ++ speed = "10000"; break; + default: + speed = "??"; + } +@@ -553,7 +555,7 @@ static ssize_t usb_device_dump(char __user **buffer, size_t *nbytes, + + /* super/high speed reserves 80%, full/low reserves 90% */ + if (usbdev->speed == USB_SPEED_HIGH || +- usbdev->speed == USB_SPEED_SUPER) ++ usbdev->speed >= USB_SPEED_SUPER) + max = 800; + else + max = FRAME_TIME_MAX_USECS_ALLOC; +diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c +index ccdcc7063eee..a5ffceb50007 100644 +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -207,7 +207,7 @@ int usb_hcd_pci_probe(struct pci_dev *dev, const struct pci_device_id *id) + * The xHCI driver has its own irq management + * make sure irq setup is not touched for xhci in generic hcd code + */ +- if ((driver->flags & HCD_MASK) != HCD_USB3) { ++ if ((driver->flags & HCD_MASK) < HCD_USB3) { + if (!dev->irq) { + dev_err(&dev->dev, + "Found HC with no IRQ. Check BIOS/PCI %s setup!\n", +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index ee6c5562d296..2e6ec875b1b7 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1024,7 +1024,7 @@ static int register_root_hub(struct usb_hcd *hcd) + dev_name(&usb_dev->dev), retval); + return (retval < 0) ? retval : -EMSGSIZE; + } +- if (usb_dev->speed == USB_SPEED_SUPER) { ++ if (usb_dev->speed >= USB_SPEED_SUPER) { + retval = usb_get_bos_descriptor(usb_dev); + if (retval < 0) { + mutex_unlock(&usb_bus_list_lock); +@@ -2055,7 +2055,7 @@ int usb_alloc_streams(struct usb_interface *interface, + hcd = bus_to_hcd(dev->bus); + if (!hcd->driver->alloc_streams || !hcd->driver->free_streams) + return -EINVAL; +- if (dev->speed != USB_SPEED_SUPER) ++ if (dev->speed < USB_SPEED_SUPER) + return -EINVAL; + if (dev->state < USB_STATE_CONFIGURED) + return -ENODEV; +@@ -2093,7 +2093,7 @@ int usb_free_streams(struct usb_interface *interface, + + dev = interface_to_usbdev(interface); + hcd = bus_to_hcd(dev->bus); +- if (dev->speed != USB_SPEED_SUPER) ++ if (dev->speed < USB_SPEED_SUPER) + return -EINVAL; + + /* Streams only apply to bulk endpoints. */ +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index f46ac929ef8a..a5f77367386d 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -297,7 +297,7 @@ static void usb_set_lpm_parameters(struct usb_device *udev) + unsigned int hub_u1_del; + unsigned int hub_u2_del; + +- if (!udev->lpm_capable || udev->speed != USB_SPEED_SUPER) ++ if (!udev->lpm_capable || udev->speed < USB_SPEED_SUPER) + return; + + hub = usb_hub_to_struct_hub(udev->parent); +@@ -2559,7 +2559,7 @@ static unsigned hub_is_wusb(struct usb_hub *hub) + */ + static bool use_new_scheme(struct usb_device *udev, int retry) + { +- if (udev->speed == USB_SPEED_SUPER) ++ if (udev->speed >= USB_SPEED_SUPER) + return false; + + return USE_NEW_SCHEME(retry); +@@ -3812,7 +3812,7 @@ int usb_disable_lpm(struct usb_device *udev) + struct usb_hcd *hcd; + + if (!udev || !udev->parent || +- udev->speed != USB_SPEED_SUPER || ++ udev->speed < USB_SPEED_SUPER || + !udev->lpm_capable) + return 0; + +@@ -3868,7 +3868,7 @@ void usb_enable_lpm(struct usb_device *udev) + struct usb_hcd *hcd; + + if (!udev || !udev->parent || +- udev->speed != USB_SPEED_SUPER || ++ udev->speed < USB_SPEED_SUPER || + !udev->lpm_capable) + return; + +@@ -4127,7 +4127,9 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + + retval = -ENODEV; + +- if (oldspeed != USB_SPEED_UNKNOWN && oldspeed != udev->speed) { ++ /* Don't allow speed changes at reset, except usb 3.0 to faster */ ++ if (oldspeed != USB_SPEED_UNKNOWN && oldspeed != udev->speed && ++ !(oldspeed == USB_SPEED_SUPER && udev->speed > oldspeed)) { + dev_dbg(&udev->dev, "device reset changed speed!\n"); + goto fail; + } +@@ -4139,6 +4141,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + * reported as 0xff in the device descriptor). WUSB1.0[4.8.1]. + */ + switch (udev->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + case USB_SPEED_WIRELESS: /* fixed at 512 */ + udev->ep0.desc.wMaxPacketSize = cpu_to_le16(512); +@@ -4165,7 +4168,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + else + speed = usb_speed_string(udev->speed); + +- if (udev->speed != USB_SPEED_SUPER) ++ if (udev->speed < USB_SPEED_SUPER) + dev_info(&udev->dev, + "%s %s USB device number %d using %s\n", + (udev->config) ? "reset" : "new", speed, +@@ -4291,11 +4294,12 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + devnum, retval); + goto fail; + } +- if (udev->speed == USB_SPEED_SUPER) { ++ if (udev->speed >= USB_SPEED_SUPER) { + devnum = udev->devnum; + dev_info(&udev->dev, +- "%s SuperSpeed USB device number %d using %s\n", ++ "%s SuperSpeed%s USB device number %d using %s\n", + (udev->config) ? "reset" : "new", ++ (udev->speed == USB_SPEED_SUPER_PLUS) ? "Plus" : "", + devnum, udev->bus->controller->driver->name); + } + +@@ -4337,7 +4341,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + * got from those devices show they aren't superspeed devices. Warm + * reset the port attached by the devices can fix them. + */ +- if ((udev->speed == USB_SPEED_SUPER) && ++ if ((udev->speed >= USB_SPEED_SUPER) && + (le16_to_cpu(udev->descriptor.bcdUSB) < 0x0300)) { + dev_err(&udev->dev, "got a wrong device descriptor, " + "warm reset device\n"); +@@ -4348,7 +4352,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + } + + if (udev->descriptor.bMaxPacketSize0 == 0xff || +- udev->speed == USB_SPEED_SUPER) ++ udev->speed >= USB_SPEED_SUPER) + i = 512; + else + i = udev->descriptor.bMaxPacketSize0; +@@ -4607,7 +4611,7 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, + udev->level = hdev->level + 1; + udev->wusb = hub_is_wusb(hub); + +- /* Only USB 3.0 devices are connected to SuperSpeed hubs. */ ++ /* Devices connected to SuperSpeed hubs are USB 3.0 or later */ + if (hub_is_superspeed(hub->hdev)) + udev->speed = USB_SPEED_SUPER; + else +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 9ff665f1322f..a47d904b3f87 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -402,7 +402,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags) + /* SuperSpeed isoc endpoints have up to 16 bursts of up to + * 3 packets each + */ +- if (dev->speed == USB_SPEED_SUPER) { ++ if (dev->speed >= USB_SPEED_SUPER) { + int burst = 1 + ep->ss_ep_comp.bMaxBurst; + int mult = USB_SS_MULT(ep->ss_ep_comp.bmAttributes); + max *= burst; +@@ -499,6 +499,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags) + } + /* too big? */ + switch (dev->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: /* units are 125us */ + /* Handle up to 2^(16-1) microframes */ + if (urb->interval > (1 << 15)) +diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h +index 0923add72b59..e9fad3d863a3 100644 +--- a/drivers/usb/core/usb.h ++++ b/drivers/usb/core/usb.h +@@ -43,7 +43,7 @@ static inline unsigned usb_get_max_power(struct usb_device *udev, + struct usb_host_config *c) + { + /* SuperSpeed power is in 8 mA units; others are in 2 mA units */ +- unsigned mul = (udev->speed == USB_SPEED_SUPER ? 8 : 2); ++ unsigned mul = (udev->speed >= USB_SPEED_SUPER ? 8 : 2); + + return c->desc.bMaxPower * mul; + } +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index a57ad1f52f79..48fa53ba354b 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1799,14 +1799,6 @@ static int __dwc3_cleanup_done_trbs(struct dwc3 *dwc, struct dwc3_ep *dep, + s_pkt = 1; + } + +- /* +- * We assume here we will always receive the entire data block +- * which we should receive. Meaning, if we program RX to +- * receive 4K but we receive only 2K, we assume that's all we +- * should receive and we simply bounce the request back to the +- * gadget driver for further processing. +- */ +- req->request.actual += req->request.length - count; + if (s_pkt) + return 1; + if ((event->status & DEPEVT_STATUS_LST) && +@@ -1826,6 +1818,7 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, + struct dwc3_trb *trb; + unsigned int slot; + unsigned int i; ++ int count = 0; + int ret; + + do { +@@ -1842,6 +1835,8 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, + slot++; + slot %= DWC3_TRB_NUM; + trb = &dep->trb_pool[slot]; ++ count += trb->size & DWC3_TRB_SIZE_MASK; ++ + + ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, + event, status); +@@ -1849,6 +1844,14 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, + break; + }while (++i < req->request.num_mapped_sgs); + ++ /* ++ * We assume here we will always receive the entire data block ++ * which we should receive. Meaning, if we program RX to ++ * receive 4K but we receive only 2K, we assume that's all we ++ * should receive and we simply bounce the request back to the ++ * gadget driver for further processing. ++ */ ++ req->request.actual += req->request.length - count; + dwc3_gadget_giveback(dep, req, status); + + if (ret) +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 7f01f165e77b..69b28af70b7c 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -276,6 +276,9 @@ static int xhci_stop_device(struct xhci_hcd *xhci, int slot_id, int suspend) + + ret = 0; + virt_dev = xhci->devs[slot_id]; ++ if (!virt_dev) ++ return -ENODEV; ++ + cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO); + if (!cmd) { + xhci_dbg(xhci, "Couldn't allocate command structure.\n"); +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index b39d217310fe..831e28989181 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -974,7 +974,7 @@ static u32 xhci_find_real_port_number(struct xhci_hcd *xhci, + struct usb_device *top_dev; + struct usb_hcd *hcd; + +- if (udev->speed == USB_SPEED_SUPER) ++ if (udev->speed >= USB_SPEED_SUPER) + hcd = xhci->shared_hcd; + else + hcd = xhci->main_hcd; +@@ -1009,6 +1009,7 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud + /* 3) Only the control endpoint is valid - one endpoint context */ + slot_ctx->dev_info |= cpu_to_le32(LAST_CTX(1) | udev->route); + switch (udev->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + slot_ctx->dev_info |= cpu_to_le32(SLOT_SPEED_SS); + max_packets = MAX_PACKET(512); +@@ -1196,6 +1197,7 @@ static unsigned int xhci_get_endpoint_interval(struct usb_device *udev, + } + /* Fall through - SS and HS isoc/int have same decoding */ + ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + if (usb_endpoint_xfer_int(&ep->desc) || + usb_endpoint_xfer_isoc(&ep->desc)) { +@@ -1236,7 +1238,7 @@ static unsigned int xhci_get_endpoint_interval(struct usb_device *udev, + static u32 xhci_get_endpoint_mult(struct usb_device *udev, + struct usb_host_endpoint *ep) + { +- if (udev->speed != USB_SPEED_SUPER || ++ if (udev->speed < USB_SPEED_SUPER || + !usb_endpoint_xfer_isoc(&ep->desc)) + return 0; + return ep->ss_ep_comp.bmAttributes; +@@ -1288,7 +1290,7 @@ static u32 xhci_get_max_esit_payload(struct xhci_hcd *xhci, + usb_endpoint_xfer_bulk(&ep->desc)) + return 0; + +- if (udev->speed == USB_SPEED_SUPER) ++ if (udev->speed >= USB_SPEED_SUPER) + return le16_to_cpu(ep->ss_ep_comp.wBytesPerInterval); + + max_packet = GET_MAX_PACKET(usb_endpoint_maxp(&ep->desc)); +@@ -1359,6 +1361,7 @@ int xhci_endpoint_init(struct xhci_hcd *xhci, + max_packet = GET_MAX_PACKET(usb_endpoint_maxp(&ep->desc)); + max_burst = 0; + switch (udev->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + /* dig out max burst from ep companion desc */ + max_burst = ep->ss_ep_comp.bMaxBurst; +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 3bfe81c6229a..4025a57ffb98 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3705,7 +3705,7 @@ static unsigned int xhci_get_burst_count(struct xhci_hcd *xhci, + { + unsigned int max_burst; + +- if (xhci->hci_version < 0x100 || udev->speed != USB_SPEED_SUPER) ++ if (xhci->hci_version < 0x100 || udev->speed < USB_SPEED_SUPER) + return 0; + + max_burst = urb->ep->ss_ep_comp.bMaxBurst; +@@ -3731,6 +3731,7 @@ static unsigned int xhci_get_last_burst_packet_count(struct xhci_hcd *xhci, + return 0; + + switch (udev->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + /* bMaxBurst is zero based: 0 means 1 packet per burst */ + max_burst = urb->ep->ss_ep_comp.bMaxBurst; +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index b63507bbf74b..648f8c4761ed 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -2054,6 +2054,7 @@ static unsigned int xhci_get_block_size(struct usb_device *udev) + case USB_SPEED_HIGH: + return HS_BLOCK; + case USB_SPEED_SUPER: ++ case USB_SPEED_SUPER_PLUS: + return SS_BLOCK; + case USB_SPEED_UNKNOWN: + case USB_SPEED_WIRELESS: +@@ -2179,7 +2180,7 @@ static int xhci_check_bw_table(struct xhci_hcd *xhci, + unsigned int packets_remaining = 0; + unsigned int i; + +- if (virt_dev->udev->speed == USB_SPEED_SUPER) ++ if (virt_dev->udev->speed >= USB_SPEED_SUPER) + return xhci_check_ss_bw(xhci, virt_dev); + + if (virt_dev->udev->speed == USB_SPEED_HIGH) { +@@ -2380,7 +2381,7 @@ void xhci_drop_ep_from_interval_table(struct xhci_hcd *xhci, + if (xhci_is_async_ep(ep_bw->type)) + return; + +- if (udev->speed == USB_SPEED_SUPER) { ++ if (udev->speed >= USB_SPEED_SUPER) { + if (xhci_is_sync_in_ep(ep_bw->type)) + xhci->devs[udev->slot_id]->bw_table->ss_bw_in -= + xhci_get_ss_bw_consumed(ep_bw); +@@ -2418,6 +2419,7 @@ void xhci_drop_ep_from_interval_table(struct xhci_hcd *xhci, + interval_bw->overhead[HS_OVERHEAD_TYPE] -= 1; + break; + case USB_SPEED_SUPER: ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_UNKNOWN: + case USB_SPEED_WIRELESS: + /* Should never happen because only LS/FS/HS endpoints will get +@@ -2477,6 +2479,7 @@ static void xhci_add_ep_to_interval_table(struct xhci_hcd *xhci, + interval_bw->overhead[HS_OVERHEAD_TYPE] += 1; + break; + case USB_SPEED_SUPER: ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_UNKNOWN: + case USB_SPEED_WIRELESS: + /* Should never happen because only LS/FS/HS endpoints will get +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index fb3a832d86e3..6103727cd060 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -661,6 +661,8 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, FTDI_ELV_TFD128_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_ELV_FM3RX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_ELV_WS777_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_PALMSENS_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_IVIUM_XSTAT_PID) }, + { USB_DEVICE(FTDI_VID, LINX_SDMUSBQSS_PID) }, + { USB_DEVICE(FTDI_VID, LINX_MASTERDEVEL2_PID) }, + { USB_DEVICE(FTDI_VID, LINX_FUTURE_0_PID) }, +@@ -1021,6 +1023,7 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) }, + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, ++ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 334bc600282d..48db84f25cc9 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -406,6 +406,12 @@ + #define FTDI_4N_GALAXY_DE_3_PID 0xF3C2 + + /* ++ * Ivium Technologies product IDs ++ */ ++#define FTDI_PALMSENS_PID 0xf440 ++#define FTDI_IVIUM_XSTAT_PID 0xf441 ++ ++/* + * Linx Technologies product ids + */ + #define LINX_SDMUSBQSS_PID 0xF448 /* Linx SDM-USB-QS-S */ +@@ -673,6 +679,12 @@ + #define INTREPID_NEOVI_PID 0x0701 + + /* ++ * WICED USB UART ++ */ ++#define WICED_VID 0x0A5C ++#define WICED_USB20706V2_PID 0x6422 ++ ++/* + * Definitions for ID TECH (www.idt-net.com) devices + */ + #define IDTECH_VID 0x0ACD /* ID TECH Vendor ID */ +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c +index 4eb277225a77..56bc36439146 100644 +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -1239,7 +1239,7 @@ static int mos7720_write(struct tty_struct *tty, struct usb_serial_port *port, + + if (urb->transfer_buffer == NULL) { + urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!urb->transfer_buffer) + goto exit; + } +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c +index e9d967ff521b..92f1a3bc22a8 100644 +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -1372,8 +1372,8 @@ static int mos7840_write(struct tty_struct *tty, struct usb_serial_port *port, + } + + if (urb->transfer_buffer == NULL) { +- urb->transfer_buffer = +- kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL); ++ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE, ++ GFP_ATOMIC); + if (!urb->transfer_buffer) + goto exit; + } +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 006a2a721edf..2bc169692965 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -275,6 +275,12 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206 ++#define TELIT_PRODUCT_LE920A4_1207 0x1207 ++#define TELIT_PRODUCT_LE920A4_1208 0x1208 ++#define TELIT_PRODUCT_LE920A4_1211 0x1211 ++#define TELIT_PRODUCT_LE920A4_1212 0x1212 ++#define TELIT_PRODUCT_LE920A4_1213 0x1213 ++#define TELIT_PRODUCT_LE920A4_1214 0x1214 + + /* ZTE PRODUCTS */ + #define ZTE_VENDOR_ID 0x19d2 +@@ -636,6 +642,11 @@ static const struct option_blacklist_info telit_le920_blacklist = { + .reserved = BIT(1) | BIT(5), + }; + ++static const struct option_blacklist_info telit_le920a4_blacklist_1 = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(1), ++}; ++ + static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = { + .sendsetup = BIT(2), + .reserved = BIT(0) | BIT(1) | BIT(3), +@@ -1211,6 +1222,16 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), + .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1207) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1208), ++ .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1211), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1212), ++ .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, +@@ -1839,6 +1860,7 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ + { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ + { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) }, + { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) }, +diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c +index 3d66e9c5a95d..a5308a97f65e 100644 +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -1426,7 +1426,7 @@ int usb_serial_register_drivers(struct usb_serial_driver *const serial_drivers[] + + rc = usb_register(udriver); + if (rc) +- return rc; ++ goto failed_usb_register; + + for (sd = serial_drivers; *sd; ++sd) { + (*sd)->usb_driver = udriver; +@@ -1444,6 +1444,8 @@ int usb_serial_register_drivers(struct usb_serial_driver *const serial_drivers[] + while (sd-- > serial_drivers) + usb_serial_deregister(*sd); + usb_deregister(udriver); ++failed_usb_register: ++ kfree(udriver); + return rc; + } + EXPORT_SYMBOL_GPL(usb_serial_register_drivers); +diff --git a/fs/seq_file.c b/fs/seq_file.c +index 1d641bb108d2..d88584c61c1e 100644 +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -207,8 +207,10 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) + size -= n; + buf += n; + copied += n; +- if (!m->count) ++ if (!m->count) { ++ m->from = 0; + m->index++; ++ } + if (!size) + goto Done; + } +diff --git a/include/linux/i8042.h b/include/linux/i8042.h +index 0f9bafa17a02..d98780ca9604 100644 +--- a/include/linux/i8042.h ++++ b/include/linux/i8042.h +@@ -62,7 +62,6 @@ struct serio; + void i8042_lock_chip(void); + void i8042_unlock_chip(void); + int i8042_command(unsigned char *param, int command); +-bool i8042_check_port_owner(const struct serio *); + int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str, + struct serio *serio)); + int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str, +@@ -83,11 +82,6 @@ static inline int i8042_command(unsigned char *param, int command) + return -ENODEV; + } + +-static inline bool i8042_check_port_owner(const struct serio *serio) +-{ +- return false; +-} +- + static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str, + struct serio *serio)) + { +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 057c1d8c77e5..b3bf527d211b 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2473,6 +2473,13 @@ + #define PCI_DEVICE_ID_KORENIX_JETCARDF2 0x1700 + #define PCI_DEVICE_ID_KORENIX_JETCARDF3 0x17ff + ++#define PCI_VENDOR_ID_NETRONOME 0x19ee ++#define PCI_DEVICE_ID_NETRONOME_NFP3200 0x3200 ++#define PCI_DEVICE_ID_NETRONOME_NFP3240 0x3240 ++#define PCI_DEVICE_ID_NETRONOME_NFP4000 0x4000 ++#define PCI_DEVICE_ID_NETRONOME_NFP6000 0x6000 ++#define PCI_DEVICE_ID_NETRONOME_NFP6000_VF 0x6003 ++ + #define PCI_VENDOR_ID_QMI 0x1a32 + + #define PCI_VENDOR_ID_AZWAVE 0x1a3b +diff --git a/include/linux/serio.h b/include/linux/serio.h +index 9f779c7a2da4..27ae809edd70 100644 +--- a/include/linux/serio.h ++++ b/include/linux/serio.h +@@ -29,7 +29,8 @@ struct serio { + + struct serio_device_id id; + +- spinlock_t lock; /* protects critical sections from port's interrupt handler */ ++ /* Protects critical sections from port's interrupt handler */ ++ spinlock_t lock; + + int (*write)(struct serio *, unsigned char); + int (*open)(struct serio *); +@@ -38,16 +39,29 @@ struct serio { + void (*stop)(struct serio *); + + struct serio *parent; +- struct list_head child_node; /* Entry in parent->children list */ ++ /* Entry in parent->children list */ ++ struct list_head child_node; + struct list_head children; +- unsigned int depth; /* level of nesting in serio hierarchy */ ++ /* Level of nesting in serio hierarchy */ ++ unsigned int depth; + +- struct serio_driver *drv; /* accessed from interrupt, must be protected by serio->lock and serio->sem */ +- struct mutex drv_mutex; /* protects serio->drv so attributes can pin driver */ ++ /* ++ * serio->drv is accessed from interrupt handlers; when modifying ++ * caller should acquire serio->drv_mutex and serio->lock. ++ */ ++ struct serio_driver *drv; ++ /* Protects serio->drv so attributes can pin current driver */ ++ struct mutex drv_mutex; + + struct device dev; + + struct list_head node; ++ ++ /* ++ * For use by PS/2 layer when several ports share hardware and ++ * may get indigestion when exposed to concurrent access (i8042). ++ */ ++ struct mutex *ps2_cmd_mutex; + }; + #define to_serio_port(d) container_of(d, struct serio, dev) + +diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h +index aa33fd1b2d4f..bff03877a2c8 100644 +--- a/include/uapi/linux/usb/ch9.h ++++ b/include/uapi/linux/usb/ch9.h +@@ -913,6 +913,7 @@ enum usb_device_speed { + USB_SPEED_HIGH, /* usb 2.0 */ + USB_SPEED_WIRELESS, /* wireless (usb 2.5) */ + USB_SPEED_SUPER, /* usb 3.0 */ ++ USB_SPEED_SUPER_PLUS, /* usb 3.1 */ + }; + + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 453e974287d1..ccaffd79dc6d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1126,7 +1126,7 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev) + + /* free all potentially still buffered bcast frames */ + local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf); +- skb_queue_purge(&sdata->u.ap.ps.bc_buf); ++ ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf); + + ieee80211_vif_copy_chanctx_to_vlans(sdata, true); + mutex_lock(&local->mtx); +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index bc08a9ce3bd4..0f334c15ec9d 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -351,7 +351,7 @@ static void purge_old_ps_buffers(struct ieee80211_local *local) + skb = skb_dequeue(&ps->bc_buf); + if (skb) { + purged++; +- dev_kfree_skb(skb); ++ ieee80211_free_txskb(&local->hw, skb); + } + total += skb_queue_len(&ps->bc_buf); + } +@@ -434,7 +434,7 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx) + if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) { + ps_dbg(tx->sdata, + "BC TX buffer full - dropping the oldest frame\n"); +- dev_kfree_skb(skb_dequeue(&ps->bc_buf)); ++ ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf)); + } else + tx->local->total_ps_buffered++; + +@@ -2910,7 +2910,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw, + sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev); + if (!ieee80211_tx_prepare(sdata, &tx, skb)) + break; +- dev_kfree_skb_any(skb); ++ ieee80211_free_txskb(hw, skb); + } + + info = IEEE80211_SKB_CB(skb);